Gabriel Montenegro wrote: > Just to be clear: I'm not saying that WESP is a general replacement for ESP. > As Steve Kent points out, where there are no trusted intermediary inspection > devices (i.e., outside of medium to large organizations) there is no need > for end-nodes to collaborate with the inspecting infrastructure, hence no > need for WESP. ESP is fine. Perhaps this is the disconnect that is happening: > traditionally, the focus of the IPsec WG has been on such external > applications > (VPN), whereas WESP and future potential extensibility is more valuable > within > organizations. Such value may not be as obvious to VPN folks. This sounds like an argument for being able to strip off the internal network WESP header at a perimeter intermediate system. That same perimeter box can apply Tero's heuristics and then add the header for so the intermediate systems don't need to. Voila, instant upgrade value for the VPN folks.
Which, of course, would not be possible with the ICV over the WESP header. On the other hand, I don't really buy the 'slippery slope' arguments. I have read the charter for this work item over a couple of times and WESP with encryption still looks consistent to me. So, here's my opinion: - YES on allowing use of WESP when using ESP with encryption - NO on including the WESP header in the ICV calculation, the endpoints have to deal with attacks in any case. By the way, WESP extension drafts that propose arbitrary new mutable fields for use with ESP just reinforce that NO. Thanks, --Joe _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
