[IPsec] Traffic visibility - consensus call

Wed, 06 Jan 2010 16:04:07 -0800 

Responding to Yaron's request for group input on two questions pertaining to 
WESP draft

On question #1 (ICV calculation): I don't agree with design decision to include 
WESP header in ESP trailer's ICV.  I see it as unnecessary contamination of ESP 
protocol.  

On question #2 (Allowing WESP as alternative to ESP):  I support this design 
choice. On the whole I feel that the functionality described for WESP, even 
when perceived as an alternative to ESP,  is a step in the right direction for 
supporting several key use cases for us.  

Cheers,
MS

-------------------------------------------- 
Mauricio Sanchez
Chief Security Architect

HP ProCurve Networking
Hewlett-Packard
8000 Foothills Blvd.
M/S 5541
Roseville, CA 95747
tel: 916.785.1910
fax: 916.785.1749
mauricio.sanc...@hp.com
 
--------------------------------------------

----------------------------------------------------------------------

Message: 1
Date: Tue, 5 Jan 2010 00:27:26 +0200
From: Yaron Sheffer <yar...@checkpoint.com>
Subject: [IPsec] Traffic visibility - consensus call
To: "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID:
        <7f9a6d26eb51614fbf9f81c0da4cfec801bdf887a...@il-ex01.ad.checkpoint.com>
        
Content-Type: text/plain; charset="us-ascii"

Hi,

We have had a few "discusses" during the IESG review of the WESP draft. To help 
resolve them, we would like to reopen the following two questions to WG 
discussion. Well reasoned answers are certainly appreciated. But plain "yes" or 
"no" would also be useful in judging the group's consensus.

- The current draft 
(http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11) defines 
the ESP trailer's ICV calculation to include the WESP header. This has been 
done to counter certain attacks, but it means that WESP is no longer a simple 
wrapper around ESP - ESP itself is modified. Do you support this design 
decision?

- The current draft allows WESP to be applied to encrypted ESP flows, in 
addition to the originally specified ESP-null. This was intended so that 
encrypted flows can benefit from the future extensibility offered by WESP. But 
arguably, it positions WESP as an alternative to ESP. Do you support this 
design decision?

Thanks,
     Yaron

------------------------------
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to