On Wed, Jan 6, 2010 at 2:52 AM, Dragan Grebovich <dgrebov...@avaya.com> wrote: > Yes and Yes. > > I supported WESP from the beginning, because it allows intermediate > systems to perform DPI on ESP-NULL packets. I was not in favor of > heuristics - not because it is a bad solution (on the contrary) - but > because many products we have/make today could not be upgraded to > support it. Manav gave an excellent summary the other day.
The more that i think about this, the more convinced i get, that we (IPSecME WG) do not have a solution, any solution for traffic visibility, if we do not let WESP carry encrypted traffic, because heuristics is for most boxes unimplementable (i.e. if at all it can work) and all models proposed so far rely on all boxes doing some bit of heuristics along with WESP for proper identification of encrypted and unencrypted packets. > I also view that the extensibility of the protocol as it stands in the > WESP today allows a smooth evolution path for fixing an obvious problem > and allowing support of new services. I would not deprecate ESP for a > long time because there is a wide customer base that cannot be ripped > out. I would work within the present charter, if possible. If it takes > a new charter to codify ESPv4, I am fine with that too, and let's use > WESP as a base. Either this, or we come out with a short draft that deprecates ESP-NULL usage with ESP. > > There is always going to be equipment mix of multiple vintages and > capabilities. Systems capable of supporting (extensible) WESP should > be able to take advantage of that. Some systems may not be able to > support encrypted WESP and would work with ESP-NULL only. Legacy > systems (non-WESP capable) must be able to perform as they do today > (ignoring WESP packets and forwarding them uninspected). I agree. Jack > > Dragan > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
