Glen, IPSECME WG <http://www.ietf.org/html.charters/ipsecme-charter.html> at IETF is actually working on the exact issue that you have described (unable to deep inspect ESP-NULL packets).
You can look at draft-ietf-ipsecme-traffic-visibility-02<http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-02>for more details. Jack On Sat, May 23, 2009 at 5:06 AM, Glen Kent <glen.k...@gmail.com> wrote: > Yes, thats what i had meant ! > > On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow > <morrowc.li...@gmail.com> wrote: >> >> On Fri, May 22, 2009 at 1:04 PM, Glen Kent <glen.k...@gmail.com> wrote: >> > Hi, >> > >> > It is well known in the community that AH is NAT unfriendly while ESP >> > cannot >> > be filtered, and most firewalls would not let such packets pass. I am >> > NOT >> >> 'the content of the esp packet can't be filtered in transit' I think >> you mean... right? >> >> > interested in encrypting the data, but i do want origination >> > authentication >> > (Integrity Protection). Do folks in such cases use AH or ESP-NULL, given >> > that both have some issues? >> > >> > Thanks, >> > Glen >> > > >
