Hi Dan
I agree with you regarding some of the proposals that have been floating around
re: exposing bits and pieces of encrypted data.
I disagree though that WESP should not be used for encrypted data:
- It is simpler for implementations and architecturally cleaner for WESP to
support both flavors.
- WESP provides for (secure) extensibility, which unfortunately we have not had
with ESP. Indeed we should be wise about picking such extensions.
Thanks,
Yaron
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Dan
McDonald
Sent: Thursday, December 17, 2009 4:35
To: Russ Housley
Cc: [email protected]; [email protected]
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
On Wed, Dec 16, 2009 at 02:59:45PM -0800, Russ Housley wrote:
<SNIP!>
> The document allows the encapsulation of encrypted IPsec traffic.
> Why? I cannot see the justification for the use if WESP at all if
> the IPsec traffic is encrypted.
<tin-foil-hat>
Because THE MAN told 'em to do it!
</tin-foil-hat>
:)
Seriously though, I agree with Russ -- it makes little to no sense to expose
privacy-protected fields. If you're worried about traffic shaping, just put
all ESP/WESP/whatever packets in the lowest priority bucket. Any other
reason that springs to mind simply defeats the purpose of privacy-protection.
Dan
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
