Jack Kohn writes: > From operational perspective if we are supporting both v4 and v6 (and we > will) then having different protocols ESP and AH is and will be a > nightmare. Common denominator is ESP-Null. However, there were issues with > ESP-Null as it couldnt be deep inspected which has now been solved with > WESP.
ESP-NULL and AH will still have different properties. AH will also protect data which is not protected by the ESP-NULL, i.e. IP-header including IP-addresses (unless ESP-NULL is used with tunnel mode). > In short, the argument that "Oh, but we can inspect AH packets" is not > relevant anymore. I do not think it was never really relevant... AH was not used because it offers ability to inspect packets, it was used when encryption was not necessarely and where protection of the IP header was needed. > Given this, should we still have AH as a MAY for IPSEC - Cant we deprecate > it? I do not see any reason why it should be deprecated. It is already MAY which means it does not need to be implemented unless your environment or use scenario needs it. I was earlier in favor of changing it to MAY, but I do not think we need to move it further than that. > WESP is ESP++, and it offers everthing that ESP offers plus more. What is > our stance for ESP moving forward? I am very sceptical for the WESP getting lots of implementations quickly, so I do not really consider WESP as competitor for ESP. Also I do not see any reason to wasting bytes for extra WESP header for encrypted traffic, so I assume WESP will be used (if it will be used) for ESP-NULL traffic not for encrypted traffic. > Also, I see that a lot of work done in other WGs is still using ESP > (primarily for data integrity). Shouldn?t they be moving to WESP, as WESP > offers more flexibility? It will take several years before implementations start to implement WESP, and even more years before hardware chips support WESP. Most of the IPsec users are still using IKEv1, even when we published IKEv2 2005, i.e. 4 years ago. And IKEv2 draft was finished and publication was requested at end of 2003. So stable draft which could be used to implement IKEv2 was ready 6 years ago, and while there are several implementations out, people are still using IKEv1. Also before WESP can be used people would first need to move to IKEv2 anyways... -- kivi...@iki.fi
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
