On Thu, January 7, 2010 4:39 pm, Jack Kohn wrote: > On Fri, Jan 8, 2010 at 5:51 AM, Dan Harkins <dhark...@lounge.org> wrote: >> >> Hi Jack, >> >> On Thu, January 7, 2010 4:06 pm, Jack Kohn wrote: >>> Folks, >>> >>> Some questions. >>> >>> o In a steady state, where we are using WESP only for ESP-NULL, what >>> should a middle box do when it sees ESP traffic, besides >>> hyperventilating and throwing up? Should it run heuristics (dang! no) >>> or should it simply assume that the packet is encrypted and do >>> whatever the local policy dictates it to do for all encrypted packets? >>> I would guess that it'll be the latter as most middle boxes will NOT >>> run heuristics. Then going forward, should we recommend obsoleting the >>> use of NULL cipher with ESP, as thats the easiest way to get folks off >>> using ESP-NULL. >> >> No. > > Interesting. Then how to do you propose to get people started off with > using WESP or the AH-lite?
As I have been saying, if you have the problem that WESP claims to be solving you prohibit ESP-null by local policy. >>> o Are we going to approach the other WGs to starting using WESP >>> wherever they propose to use ESP-NULL? Is that the plan? >> >> I sure hope not! > > Curious. Why not? Because it's unnecessary bloat that another group may not have any use for. ESP-null could be used, for instance, to protect packets in an EGP routing protocol. There is no need for WESP in such an environment. We should not try to get people to use a protocol simply because the IT department in some enterprise somewhere likes it. Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
