On Thu, Jan 07, 2010 at 03:51:04PM -0900, Melinda Shore wrote: > On Jan 7, 2010, at 3:45 PM, Jack Kohn wrote: > >I am just trying to understand what a WESP powered middle box thats > >interested in deep inspecting packets, should do when it sees a native > >ESP packet. Should it make an attempt to parse it based on heuristics > >(which i completely resent) or should it treat the packet as encrypted > >and do whatever the local policy dictates? > > It seems to me that any discussion of what the middlebox > "should" do is not just out-of-scope, it's very very very > very very out-of-scope.
Yes, but it's useful to know what they could possibly do. If a middlebox wants to drop all encrypted IPsec traffic then it needs to know if it's encrypted. Knowing WESP -> ESP-null, ESP -> unknown, is sufficient. Anyone who might want to configure middle boxes to drop ESP-!null is not really going to be helped by having a WESP "encrypted bit" -- either way they'll have to have a flag day when they impose this policy. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
