@@ -423,14 +423,15 @@ establishment.
423423** Payload Info Header
424424
425425The Payload Info Header is needed if the contained payload is
426- not a single IPv4 or IPv6 packet (e.g., when using Transport Mode or
427- IP-TFS). It is optional on tunnel mode because this information
428- can be derived from the inner IPv4 or IPv6 header. This document
429- specifies a full and an optimized packet format. The Payload Info
430- Header is present in the Full EESP packet format, but not in the
431- optimized format see [[Full and Optimized Packet Formats]].
432- IPsec peers and middleboxes (if Crypt Offset is positive, see
433- [[EESP Crypt Offset Option]]) MAY act upon the Payload Info Header.
426+ not a single IPv4 or IPv6 packet (e.g., when using Transport Mode,
427+ BEET Mode [[RFC7402]], or IP-TFS [[RFC9347]]). It is optional on
428+ tunnel mode because this information can be derived from the inner
429+ IPv4 or IPv6 header. This document specifies a full and an optimized
430+ packet format. The Payload Info Header is present in the Full EESP
431+ packet format, but not in the optimized format see
432+ [[Full and Optimized Packet Formats]]. IPsec peers and middleboxes
433+ (if Crypt Offset is positive, see [[EESP Crypt Offset Option]]) MAY
434+ act upon the Payload Info Header.
434435
435436#+caption: Payload Info Header
436437#+name: payload-info-header
@@ -666,7 +667,7 @@ processing details are described in later sections.
666667
667668#+ATTR_RFC: :compact t
668669- [1] M = mandatory; O = optional
669- - [2] If tunnel mode -> IP datagram. If beet mode -> IP datagram. If
670+ - [2] If tunnel mode -> IP datagram. If BEET mode -> IP datagram. If
670671 transport mode -> next header and data. If IP-TFS, IP-TFS header
671672 and payload.
672673- [3] Ciphertext if encryption has been selected
@@ -995,15 +996,14 @@ a separate document that defines the 'EESP use for Datacenters'.
995996** EESP Header Location
996997
997998EESP may be employed in multiple ways. To secure end-to-end
998- network traffic, transport mode and payload encryption mode
999- may be used. For the VPN use case, tunnel and beet mode may
1000- be employed.
999+ network traffic, transport mode may be used. For the VPN use case,
1000+ tunnel and BEET mode may be employed.
10011001
10021002
10031003*** Layer 4 Encapsulation Modes
10041004
1005- Layer 4 Encapsulation Modes are transport mode and BEET mode.
1006- Layer 4 Encapsulation Modes
1005+ Layer 4 Encapsulation Modes are transport mode and BEET mode
1006+ [[RFC7402]] Layer 4 Encapsulation Modes
10071007distinguish from tunnel mode on the position of the EESP
10081008header in the packet. On Layer 4 Encapsulation Modes the
10091009EESP header is inserted between the original IPv4/IPv6
@@ -1348,13 +1348,6 @@ vary for different algorithm choices. In order to provide a uniform,
13481348algorithm-independent approach to invocation of combined mode
13491349algorithms, no payload substructure is defined.
13501350
1351-
1352- # XXX: Do we need this?
1353- # For example, the SPI
1354- # and Sequence Number fields might be replicated within the ciphertext
1355- # envelope and an ICV may be appended to the EESP payload data. None of
1356- # these details should be observable externally.
1357-
13581351To allow an EESP implementation to determine the MTU impact of a
13591352combined mode algorithm, the RFC for each algorithm used with EESP
13601353must specify a (simple) formula that yields encrypted payload size,
@@ -1391,7 +1384,7 @@ by using the AES-CMAC algorithm ([[RFC4494]]).
13911384The Sender proceeds for combined confidentiality/integrity algorithm as follows:
13921385
139313861. Encapsulate into the EESP Payload Data field:
1394- - for transport and beet mode -- just the original next layer
1387+ - for transport and BEET mode -- just the original next layer
13951388 protocol information.
13961389 - for tunnel mode -- the entire original IP datagram.
13971390
@@ -1412,19 +1405,13 @@ The Sender proceeds for combined confidentiality/integrity algorithm as follows:
14121405 algorithm, as they must be included in the integrity
14131406 check computation. The means by which these values
14141407 are included in this computation are a function of
1415- the combined mode algorithm employed and thus not
1416- specified in this standard.
1408+ the combined mode algorithm employed.
14171409 - The (explicit) ICV field MAY be a part of the EESP
1418- packet format when a combined mode algorithm is
1419- employed. If one is not used, an analogous field
1410+ packet format. If one is not used, an analogous field
14201411 usually will be a part of the ciphertext payload.
14211412 The location of any integrity fields, and the means
14221413 by which the EESP header fields are included in
1423- the integrity computation, MUST be defined in an RFC
1424- that defines the use of the combined mode algorithm
1425- with EESP. # XXX: We don't have this!!!
1426-
1427- # NOTE STK: Do we need to update RFC4106, RFC 4543, RFC 6054 etc.?
1414+ the integrity computation, are defined in [[AAD Construction]].
14281415
14291416*** Sequence Number Generation
14301417
@@ -1470,7 +1457,7 @@ replaced.
14701457*** Fragmentation
14711458
14721459If necessary, fragmentation is performed after EESP processing within
1473- an IPsec implementation. Thus, transport and beet mode, EESP is applied only to
1460+ an IPsec implementation. Thus, transport and BEET mode, EESP is applied only to
14741461whole IP datagrams (not to IP fragments). An IP packet to which EESP
14751462has been applied may itself be fragmented by routers en route, and
14761463such fragments must be reassembled prior to EESP processing at a
@@ -1480,8 +1467,8 @@ a "bump-in-the-stack" or "bump-in-the-wire" IPsec implementation (as
14801467defined in the Security Architecture document) may apply tunnel mode
14811468EESP to such fragments.
14821469
1483- # FIXME: beet + payload enc mode
1484- NOTE: For Layer 4 Encapsulation Modes -- As mentioned at the end of [[Layer 4 Encapsulation Modes]],
1470+ NOTE: For Layer 4 Encapsulation Modes -- As mentioned at the end of
1471+ [[Layer 4 Encapsulation Modes]],
14851472bump-in-the-stack and bump-in-the-wire implementations may have to
14861473first reassemble a packet fragmented by the local IP layer, then
14871474apply IPsec, and then fragment the resulting packet.
@@ -1545,13 +1532,12 @@ and (in IPv6) the cleartext Flow ID.
15451532
15461533*** Sequence Number Verification
15471534
1548- # FIXME: This section needs review.
1549-
15501535All EESP implementations MUST support the anti-replay service, though
15511536its use may be enabled or disabled by negotiation on a per-SA basis.
15521537Anti-replay is applicable to unicast as well as multicast SAs.
15531538
15541539# Note STK: This might change when we introduce the Sender ID option.
1540+
15551541However, this standard specifies
15561542no mechanisms for providing anti-replay for a multi-sender SA
15571543(unicast or multicast). In the absence of negotiation (or manual
@@ -1629,13 +1615,6 @@ The receiver proceeds for combined mode algorithms as follows:
16291615 Payload Data, Padding, using the key, algorithm,
16301616 algorithm mode, and cryptographic synchronization data (if
16311617 any), indicated by the SA.
1632- # FIXME: EESP has more inputs than SPI ans seq NR
1633- # XXX: This is the original ESP text:
1634- # The SPI from the EESP header, and
1635- # the (receiver) packet counter value (adjusted as required
1636- # from the processing described in Section 3.4.3) are inputs
1637- # to this algorithm, as they are required for the integrity
1638- # check.
16391618 The Base Header and the Peer Header are are inputs
16401619 to this algorithm, as they are required for the integrity
16411620 check.
@@ -1655,7 +1634,7 @@ The receiver proceeds for combined mode algorithms as follows:
16551634 datagram as invalid; this is an auditable event. The log
16561635 data SHOULD include the SPI value, Session ID value, date/time received,
16571636 Source Address, Destination Address, the Sequence Number,
1658- and (in IPv6) the cleartext Flow ID.
1637+ andF (in IPv6) the cleartext Flow ID.
16591638
16601639- Process any Padding as specified in the encryption algorithm
16611640 specification, if the algorithm has not already done so.
@@ -1670,12 +1649,11 @@ The receiver proceeds for combined mode algorithms as follows:
16701649
16711650
16721651The exact steps for reconstructing the original datagram
1673- depend on the mode and are described in the Security
1674- Architecture document. # XXX: What about BEET mode?
1675- # FIXME: What to do here?
1676- At a minimum, in an
1677- IPv6 context, the receiver SHOULD ensure that the decrypted
1678- data is 8-byte aligned, to facilitate processing by the
1652+ depend on the mode. Transport and Tunnel mode are described in the
1653+ Security Architecture document [[RFC4301]]. BEET Mode is described
1654+ in [[RFC7402]] and IP-TFS in [[RFC9347]].
1655+ At a minimum, in an IPv6 context, the receiver SHOULD ensure that the
1656+ decrypted data is 8-byte aligned, to facilitate processing by the
16791657protocol identified in the Next Header field.
16801658
16811659
@@ -1961,6 +1939,7 @@ TBD
19611939** RFC4303
19621940** RFC4494
19631941** RFC7296
1942+ ** RFC7402
19641943** RFC8200
19651944** RFC9347
19661945
0 commit comments