> There is a need per the charter for a mechanism to > "easily and reliably" determine the type of traffic. Within an organization, > it would be much easier to use > WESP encryption as an alternative to ESP. If one sees ESP packets, then one > would have to run heuristics > with all the pertaining issues as explained in Manav's recent message, and > higher cost associated > (particularly, in stateless high aggregation points). WESP with encryption > support would allow an > organization to simplify rules and inspection devices. Sure, the WESP header > adds more bytes, but the > tradeoff is that there is no need for costly heuristics throughout the > network. Without WESP encryption, > the charter item does not have a complete solution.
I agree. I, like others, and unlike the authors of heuristics, would never like to see heuristics implemented in a network, because it is not going to work. Period. It requires too much from the devices to do, and its simply not practical (refer to past mails in the WG list). One can clearly gauge the interest in heuristics vis-a-vis WESP by the amount of mails and the review comments that have been sent/exchanged. WESP provides a simple, clean, deterministic way to disambiguate between encrypted and unencrypted traffic and i would like to see it this way. > > Just to be clear: I'm not saying that WESP is a general replacement for ESP. > As Steve Kent points out, > where there are no trusted intermediary inspection devices (i.e., outside of > medium to large organizations) > there is no need for end-nodes to collaborate with the inspecting > infrastructure, hence no need for > WESP. ESP is fine. I agree and would like to stress that WESP is not a replacement for ESP. I repeat for the benefit of others that extending WESP to carry encrypted packets does not mean that it is replacing ESP. Jack _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
