| Main Archive Page > Month Archives > ipsec archives |
Re: [Ipsec] NULL/NULL forbidden in ESP
From: Arnaud EBALARD <arno_at_nospam>Date: Thu Aug 09 2007 - 18:45:42 GMT
To: Dan McDonald <danmcd@sun.com>
Hi,
Dan McDonald <danmcd@sun.com> writes:
> Just the prevention of one sending not-so-secure packets.
That's what i thought.
> If you have IPsec policies at the end-nodes that can make NULL/NULL
> negotiatable, why can't those same policies be set to PASS instead? Then
> it's a simple matter of your filtering configs.
Having to put specific filtering rules in the network
>> At the moment, even if some implementations allow it, the standard
>> prevents it. I'll be interested in comments on that.
>
> Just recently I hacked a custom OpenSolaris kernel (without the IKE mods) to
> allow NULL/NULL ESP - I did so for performance testing (can't blame the
> crypto with NULL/NULL). It was mildly painful and it requires a deft touch
> to configure. To have a proper implementation of NULL/NULL, however, it
> would take a while to extract various checks. Not to mention, at least our
> implementation makes assertions/assumptions around that sentence in section
> 3.2.
Static rules on recent Linux kernel just works out of the box (just tested emission, noone at reception).
> BTW, what are you worried about w.r.t. performance? Are you running on
> multi-gigabit links or with legacy hardware? Are you severely latency
> sensitive?
Mobile devices with limited CPU and Battery, mainly. I'll try to benchmark the cost of applying the auth alg on the traffic that does not need IPsec protection under standard use. It might end up having a limited impact on battery/load.
Thank you all for the answers.
a+
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec