[Sis-csi] IPSec AH and SCPS-NP
Weiss, Howard
Howard.Weiss at sparta.com
Thu Dec 7 12:25:33 EST 2006
Actually, a bigger question is does it really make a difference?
The reason I say this is that the AH header overhead is 12 bytes. On short packets, 12 bytes vs. 1 byte is a big difference. HOWEVER, we are talking about carrying AH traffic.
This means that there is a (relatively speaking) large Integrity Check Value (ICV) that ensures the integrity and authenticity of the packet. Using HMAC-MD5-96, this means adding 12 bytes of ICV to every packet anyway. And this assumes that MD5 (which normally pumps out 16 bytes of ICV) is truncated to 96 bits as specified in RFC 2104 and FIPS PUB 198a. Moving away from MD5 takes us to the 20 byte SHA-1 and to the 32 byte SHA-256 (as NIST is already suggesting the movement away from SHA-1 by 2010).
Howie
-----Original Message-----
From: sis-csi-bounces at mailman.ccsds.org [mailto:sis-csi-bounces at mailman.ccsds.org] On Behalf Of Scott, Keith L.
Sent: Thursday, December 07, 2006 11:18 AM
To: Marc Blanchet
Cc: Durst, Robert C.; sis-csi at mailman.ccsds.org; Feighery,Patrick D.
Subject: RE: [Sis-csi] IPSec AH and SCPS-NP
That would work (and *is* sort of what would happen with ESP, since the
inner IP header's encrypted). One of the main points of SCPS-NP,
however, is bit efficiency, which would be lost with a tunneling
approach -- why not simply forward the original IPv4/AH packet and save
the few bytes of NP header?
I think the difference in size is significant. A minimal NP header is
just one byte. Granted it will take ~5-10 bytes for the AH header, but
another 40 for IP would be a lot. One could use IPv4 header
compression to reduce that and tunnel the compressed IPv4 header, but
as above, one could simply route the (compressed) v4.
I was going to say that I don't think there's any issue with v6, since
all of the header information has to be reconstructable from the NP
packet, but there's that flow label field that I don't think NP would
support carrying... There are defined TPIDs for IPv6 AH and ESP; I
wonder if we need to do something to support carriage of the flow label
field? If we go with option 2 or 3 from the slides (that use some of
the reserved bits in the SCPS-NP control field), we could say that one
of those bits in conjunction with IPv6 mean that the flow label is
present (or not).
Certainly a question worth asking!
--keith
-----Original Message-----
From: Marc Blanchet [mailto:marc.blanchet at viagenie.ca]
Sent: Thursday, December 07, 2006 9:43 AM
To: Scott, Keith L.
Cc: sis-csi at mailman.ccsds.org; Feighery, Patrick D.; Durst, Robert C.
Subject: Re: [Sis-csi] IPSec AH and SCPS-NP
Maybe my comment is dumb, but why don't tunnel IPv*-with-IPsec into
the payload of SCPS-NP (i.e. include the whole IP header and payload
into the payload of SCPS-NP) and then you have "nothing" to do to
support IPsec in NP, since IPsec will be managed by IP devices. dumb?
Marc.
Le 06-12-06 à 15:28, Scott, Keith L. a écrit :
> As part of our charter item to update existing CCSDS
> specifications, there is a rather old outstanding action item to
> update the SCPS Network Protocol (SCPS-NP) to support carriage of
> information needed for end-to-end IPSec AH across SCPS-NP networks.
>
> I put together some slides on this topic and placed them at (http://
> public.ccsds.org/sites/cwe/sis-csi/Public/Draft%20Documents/Carrying
> %20IPSEC%20Authentication%20Headers%20in%20SCPS-NP.ppt). The
> slides present three options with varying implications (one option
> uses only a new TPID but costs a byte, the other two have lower
> overhead but use bits from the NP control field).
>
> I'd like to open this up for disucussion and try to come to a rough
> consensus before we go into the January meetings.
>
> --keith
>
> _______________________________________________
> Sis-CSI mailing list
> Sis-CSI at mailman.ccsds.org
> http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi
_______________________________________________
Sis-CSI mailing list
Sis-CSI at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi
More information about the Sis-CSI
mailing list