On Thu, Jan 07, 2010 at 03:51:04PM -0900, Melinda Shore wrote:
> On Jan 7, 2010, at 3:45 PM, Jack Kohn wrote:
> >I am just trying to understand what a WESP powered middle box thats
> >interested in deep inspecting packets, should do when it sees a native
> >ESP packet. Should it make an attempt to parse it based on heuristics
> >(which i completely resent) or should it treat the packet as encrypted
> >and do whatever the local policy dictates?
> 
> It seems to me that any discussion of what the middlebox
> "should" do is not just out-of-scope, it's very very very
> very very out-of-scope.

Yes, but it's useful to know what they could possibly do.  If a
middlebox wants to drop all encrypted IPsec traffic then it needs to
know if it's encrypted.  Knowing WESP -> ESP-null, ESP -> unknown, is
sufficient.

Anyone who might want to configure middle boxes to drop ESP-!null is not
really going to be helped by having a WESP "encrypted bit" -- either way
they'll have to have a flag day when they impose this policy.

Nico
-- 
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to