[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [rohc] RE: (in)security of ESP with header compression

>>>>> "Yaron" == Yaron Sheffer <yaronf@xxxxxxx> writes:

 Yaron> Hi Steve, I see a trade-off here between tweaking ROHC to deal
 Yaron> with reordering channels (it may be easy or hard, I don't
 Yaron> know) and tweaking the ESP *implementation* to undo such
 Yaron> reordering. I accept that the RFC doesn't mandate or even
 Yaron> suggest it, and from an architectural perspective it's not
 Yaron> clean. But it's a minor change to the implementation of
 Yaron> sequence-number handling in ESP...

Nonsense.  It's a very major change in the implementation of ESP.

ESP processes IP packets one at a time.  It does not care whether they
are being reordered; it does not, repeat NOT, put them in any order
different from the order in which they arrived.

To do what you suggest would be a large redesign, which would also
completely ruin performance.  ("Fragmentation considered Harmful" by
Jeff Mogul explains this nicely, for a different case where the same
considerations are valid.)

Note also that there are a bunch of ESP implementations done in
silicon.  For those, what you propose is even more unreasonable than
it would be for a software implementation.  But I don't think any
implementer of either kind of implementation would consider your