Steve, Let me add 2 more simple ones, mirroring based on L4 dest port and policy based routing.
An important point here is that not all intermediate nodes that need to examine packets are necessarily "trusted" intermediaries (in the security appliance sense), many (such as Netflow probes) have perfectly legitimate purposes that ESP-NULL would break. For these, and I'm not the first to say this, heuristics will never work. WESP is a simple enough approach to include in many of these kind of devices. I agree with Brian and Charlie here, what do we need to close this off? Thanks, --Joe -----Original Message----- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Brian Swander Sent: Thursday, January 07, 2010 3:59 PM To: Stephen Kent Cc: ipsec@ietf.org; Russ Housley Subject: Re: [IPsec] Traffic visibility - consensus call Take 3 simple ones. 1. Intermediaries can audit traffic flowing thru them. Netflows work for all integrity protected traffic as if it were cleartext. 2. Intermediaries can effectively perform QOS markings on packets. Integrity-only packets get more accurate markings (as if they were cleartext). 3. Intermediaries can enforce stateless router ACLs on all integrity traffic. This is used in conjunction with end system audits, and intermediary audits, etc. This only increases the security of the overall system. The alternative is that the stateless router ACLs just permits all ESP (null or otherwise). All of these allow rolling out transport IPSec without compromising the functionality of the given intermediaries. All are in scope for WESP. I'm curious what the goal of this line of enquiry is. I.e. how can we ever be done with this thread? What sort of justification is needed to progress here? bs -----Original Message----- From: Stephen Kent [mailto:k...@bbn.com] Sent: Thursday, January 07, 2010 3:41 PM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley Subject: Re: [IPsec] Traffic visibility - consensus call At 8:06 PM +0000 1/7/10, Brian Swander wrote: >I'm going by what my real customers are asking for. > >Our real customers are asking for exactly what I'm describing below. >I didn't ask them why their stance to intermediaries has changed, if >it even has. That is academic. The key question here is what do >real customers want to deploy, and how can we enable them to do it. > >bs Brian, I don't know how IPSECME will choose to proceed, but in the WG I chair folks expect WG participants to provide technically defensible rationales for designs that they advocate. Relaying what customers purportedly have requested doesn't cut it. Also, the IETF does not assume that "the customer is always right" when making protocol design decisions. If we did, and if we made such decisions in 1990, we'd be using ATM, CLNP, X.400, and other protocols that many big clients said were what they wanted in that time frame :-). Steve _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
