[email protected] <[email protected]> wrote: > IPsec is an important protocol family of the Internet. And we think it > may be more powerful just by adding a few changes to it.
> Source Address Validation (SAV) is a problem that can be partially
> solved by using IPsec or other approaches. However, IPsec AH needs to
> hash the whole changeless fileds of the length-vairable packet and
> IPsec ESP needs to encrypt the whole packet. Therefore the AH or ESP
> are too costly and heavily to implement the source address
> validation. We design a new tech mechanism that uses RPKI and IPsec to
> solve the inter-domain SAV problem.
It's not the AH/ESP that's costly, it's the key agreement protocol that
takes time.
> This new mechanism needs to define a new type of IPsec SA using
> together with RPKI to validate the inter-domain layer source
> address. As it only needs to choose a little fields to protect but not
> the whole packet, this will dramaticaly decrease the computation cost
> compared with the original IPsec AH or ESP. Thus it may be used
> globally in the Internet.
Yes, maybe.
You may want to look at TF-ESP, which is a failed protocol.
RFC5840.
> Two drafts were submitted for that purpose. The one, ERISAV, describes
> its motivation, main framework, and interactive process. And the other,
> RISAV, describes detailed things about how to use RPKI, IKE, and IPsec
> AH for source address validation.
> The drafts' link are
> 1. https://datatracker.ietf.org/doc/draft-xu-erisav/
> 2. https://datatracker.ietf.org/doc/draft-xu-risav/
> The above announcement is these drafts. We would like to work with the
> community to improve and clarify these tech drafts.
They aren't not yet mirrored to my laptop, but I'll read them as soon as I
have Internet again.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
