> > > > As an author of WESP I can say that the way this draft uses WESP to > protect 1588 is not very appropriate. The draft tries to add > some additional identifiers in each protocol packet to > uniquely identify 1588 packets. This in the security land > will not be accepted as anybody snooping on the wire will be > easily able to disambiguate 1588 packets from other packets > in the stream. If the authors want to use WESP then they must > negotiate this unique ID (or a set of IDs) in IKE and pad the > packets randomly so that the attackers cant identify the 1588 > packets in the Ipsec stream. > > In that case the receiving end will also be unable to > identify those packets which defeats the purpose of the draft.
The end node would know the IDs carried in WESP as those would have been exchanged before. They will recognize the 1588 packets and process them accordingly. Cheers, Manav > > Danny > > _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
