On Thu, Dec 05, 2024 at 12:38:56AM +0200, Tero Kivinen wrote: > Michael Richardson writes: > > > > Tero Kivinen <kivi...@iki.fi> wrote: > > > Postquantum Cryptography brings new authentication methods. The > > > > (rant about "quantum-safe" term omitted) > > > > ... > > > > > The ESPv3 protocol was defined in 2005 and there has been seen that > > > there might be some need to make enhancements to it. The working group > > > will analyze the possible problems and work on solving them. This may > > > include updating ESP, AH, and/or WESP standards, or result in a new > > > security protocol. > > > > I think "new security protocol", means a new IP protocol=xx mechanism, (ESP > > with a new number), but I think that many people won't understand that. > > For some, this could mean an entirely new architecture, and I'm sure this > > wasn't intended. Yes, ESP=Encapsulated *SECURITY PROTOCOL*, but ... > > I do not think the working group has decided whether we do new IP > protocol number, or whether we do new format of the ESP frames using > old protocol number, or whatever. > > > I suggest: > > > > > This may > > > include updating or replacing ESP, AH, and/or WESP standards. > > > > (I think we are always enfranchised to ask for a new IPPROTO) > > and the above is a nit. > > Even if we make new version of the ESP, that version might be in > limited use, and not for general purpose uses cases. My understanding > is that most of the changes were based on the datacenter uses cases > where they want to peek in to the packets and export certain things > from the inner flow to outside, and make changes to the ESP frame > format to make hardware implementations easier etc.
The EESP proposal is clearly planned for general purpose uses cases, datacenter use case is just a part of it. > > Most of those changes are not something that is needed for road > warrior uses cases, or VPN connections between two offices etc. > > So it might be that we make new security protocol in addition to ESPv3, > i.e., ESPv3 is still used for VPN uses cases, and then we make EESP > (or whatever) which have new IP protocol number, and that is aimed for > the datacenter use cases. > > > Otherwise, I'm very happy with the proposed charter. > > I would like to keep the charter bit open in this regard, i.e., > whether we make new security protocol, or update ESPv3 is bit open, > but I do not think we are even planning of making replacement for > ESPv3, i.e., if we make new security protocol it will be in addition > to ESPv3 (i.e., ESPv3 will not be obsoleted by the new version). The idea is that everyone who do not need the new features can still use ESPv3. So EESP (or whatever) should not become ESPv4. In the draft we currently say 'EESP neither updates nor obsoletes [RFC 4303]'. Steffen _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
