The IKE negotiation is for diet-esp is currently defined in a specific draft: https://datatracker.ietf.org/doc/draft-mglt-ipsecme-ikev2-diet-esp-extension/
I think you are suggesting that the architecture description details what is negotiated by IKEv2. Am I correct ? Yours, Daniel On Tue, May 24, 2022 at 4:59 PM Robert Moskowitz <rgm-...@htt-consult.com> wrote: > In My Highly Biased Opinion,,, > > There should be a section on the IKE negotiation of diet-esp, specifically > calling out how this is done. Especially the incoming SPI selection. > > Then there should be a section, perhaps sub-section of above, on incoming > datagram processing to recognize a shortened SPI on the wire and pass it > off to diet-esp processing. > > I keep thinking back to when we had fun writing 2410 and one implementor > did not get the joke and did it wrong and would not interop in null mode > with any other product. > > They were really not happy campers... > > On 5/24/22 16:47, Daniel Migault wrote: > > The issue only comes when a gateway wants to support all sizes of SPIs 0 - > 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I > would suggest using IP addresses and the minimum allowed byted compressed > SPI. > If you use 2 - 3 bytes, the likelihood of collision might still be very > low to support an additional signature check. > > Yours, > Daniel > > On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-...@htt-consult.com> > wrote: > >> That is the 'easy' part. >> >> What does the code do when it receives an ESP packet? How do it know >> that it is a diet-esp packet and apply the rules? >> >> Next Header just says: ESP. >> >> On 5/24/22 16:23, Daniel Migault wrote: >> >> This is correct. IKEv2 is used both to agree on the use of Diet-ESP as >> well as values to be used for the compression/decompression. >> >> Yours, >> Daniel >> >> On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters= >> 40aiven...@dmarc.ietf.org> wrote: >> >>> >>> On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz < >>> rgm-...@htt-consult.com> wrote: >>> >>>> I think there is something else I am missing here. >>>> >>>> How does the receiving system 'know' that the packet is a diet-esp >>>> packet? >>>> >>> >>> >>> https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 >>> >>> It's negotiated with IKEv2. >>> >>> I guess the IKE stack has to signal this to the ESP implementation on >>> what to expect when >>> the policy is installed ? >>> >>> Paul >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >> >> >> -- >> Daniel Migault >> Ericsson >> >> _______________________________________________ >> IPsec mailing listIPsec@ietf.orghttps://www.ietf.org/mailman/listinfo/ipsec >> >> >> > > -- > Daniel Migault > Ericsson > > _______________________________________________ > IPsec mailing listIPsec@ietf.orghttps://www.ietf.org/mailman/listinfo/ipsec > > > -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec