Yaron Sheffer writes: > - The current draft > (http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11) > defines the ESP trailer's ICV calculation to include the WESP > header. This has been done to counter certain attacks, but it > means that WESP is no longer a simple wrapper around ESP - ESP > itself is modified. Do you support this design decision?
No. > - The current draft allows WESP to be applied to encrypted ESP > flows, in addition to the originally specified ESP-null. This was > intended so that encrypted flows can benefit from the future > extensibility offered by WESP. But arguably, it positions WESP as > an alternative to ESP. Do you support this design decision? No. If we really want to make WESP as specified in the charter, it would be much better to make it so it can be added incrementally to the ESP processing, i.e. just like UDP encapsulation for NAT-traversal can be do. This would mean that the WESP processing could be applied after the normal ESP processing, and WESP would simply add extra header to the beginning, and nothing else. The current draft already makes sure all the fields in the WESP header are verified by the IPsec recipient thus there is really no need to add ICV to cover them (if extensions are added then ICV needs cover them, which makes it impossible to implement WESP as incremental change to ESP). On the other hand if WESP is going be ESPv4, then it would be better to modify the ESP directly, i.e make the required modifications to the ESP header itself. Now WESP has bad attributes from both. It cannot be implemented as extra step after normal ESP processing, but it does not benefit from the fact that it could be modifying ESP header. I myself has always not cared that much of WESP, as I always planned NOT to implement it ever, but just refer people who want it to my heuristics draft, and say that there is no need for WESP. Now if people really start to talk WESP as a new ESPv4, and talking about obsoleting old ESP so that only WESP would stay, then the situation is quite different. If that would have been clear from the beginning I myself would have concentrated much more on the WESP work. I assume there are other people who feel the same. Thats why I think it is inappropriate to even consider WESP as something that would be replacing ESP ever. If that is wanted, then much more discussion is needed. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
