Hi, we just published a new version of a draft defining Wrapped Encapsulating Security Payload v2 (WESPv2). It is designed to overcome limitations of the ESP protocol to expose flow information to the network in a transparent way. It adapts header options from RFC 8200 section 4.2 to use for padding and flow identifiers, such as 'anti replay subspaces', 'VPN IDs' etc.
To preserve the usecase of the original WESP protocol (and to align with Google PSP), it also defines a Crypt Offset to allow intermediate devices to read some header bytes at the beginning of the inner packet. Changes from -00: - Remove explicit padding and flow identifier fields. - Adapt header options from RFC 8200 section 4.2 to use for flow identifiers and padding. - Remove not needed flags E, P, F. - Add an OptLen field to find the ESP header behind the options. - Use Next Header value 59 instead of zero if there is no header following (i.e. CryptOffset is zero). This makes it compliant to header options as defined in RFC 8200 section 4.7. Steffen ----- Forwarded message from internet-dra...@ietf.org ----- Date: Fri, 28 Jun 2024 04:34:39 -0700 From: internet-dra...@ietf.org To: Antony Antony <antony.ant...@secunet.com>, Steffen Klassert <steffen.klass...@secunet.com> Subject: New Version Notification for draft-klassert-ipsecme-wespv2-01.txt A new version of Internet-Draft draft-klassert-ipsecme-wespv2-01.txt has been successfully submitted by Steffen Klassert and posted to the IETF repository. Name: draft-klassert-ipsecme-wespv2 Revision: 01 Title: Wrapped ESP Version 2 Date: 2024-06-28 Group: Individual Submission Pages: 15 URL: https://www.ietf.org/archive/id/draft-klassert-ipsecme-wespv2-01.txt Status: https://datatracker.ietf.org/doc/draft-klassert-ipsecme-wespv2/ HTML: https://www.ietf.org/archive/id/draft-klassert-ipsecme-wespv2-01.html HTMLized: https://datatracker.ietf.org/doc/html/draft-klassert-ipsecme-wespv2 Diff: https://author-tools.ietf.org/iddiff?url2=draft-klassert-ipsecme-wespv2-01 Abstract: This document describes the Wrapped Encapsulating Security Payload v2 (WESPv2) protocol, which builds on the Encapsulating Security Payload (ESP) [RFC4303]. It is designed to overcome limitations of the ESP protocol to expose inner flow information to the network in a transparent way. To do so, it adapts IPv6 Extension header options to WESPv2 where flow identitiers can be stored. It also defines a Crypt Offset to allow intermediate devices to read some header bytes at the beginning of the inner packet. In particular, this preserves the original use-case of WESP [RFC5840]. The IETF Secretariat ----- End forwarded message ----- _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
