Brian,
I wasn't sure, form your brief description, whether you envisioned
any crypto protection for this version of WESP. If not, then this
added info is not protected and might be modified en route. This
seems like a possibly dangerous feature, as it says that we are
causing an intermediate system (e.g., a firewall) to make decisions
on passing packets based on unauthenticated info. If the WESP data
were protected it would raise questions about how we effect key
distribution, and why this form of SA nesting is more attractive than
the nested SA support that was pulled from IPsec as we went from 2401
to 4301.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec