At 5:19 PM +0200 1/6/10, Yaron Sheffer wrote:
I would like to reframe the migration discussion. Manav, Scott and
everyone else, please correct me if I got it wrong.
Suppose we have a middlebox that can do useful things if it knows
that the flow is unencrypted, and only basic things if it is
encrypted. A load balancer is a good example.
We are slowly migrating all endpoints in an enterprise to be
WESP-capable. During the migration period, the middlebox sees 3 or 4
types of traffic:
1. WESP from the new nodes.
2. Depending on your view of whether we have the bit in question:
encrypted ESP from WESP-capable ("new") nodes.
3. Encrypted ESP from WESP-incapable ("old") nodes.
4. And ESP-null from old nodes.
Taking Manav's perspective, the middlebox can always use heuristics
to distinguish encrypted ESP from ESP-null. As the number of
WESP-capable nodes grows, it will see less and less ESP, so will
spend ever less CPU power on heuristics.
It's not clear why nodes sending encrypted traffic would need to use
WESP (vs. native ESP), even if there is a WESP flag that indicates an
encrypted payload. Thus I don't agree with the conclusion that over
time there would be less ESP over all. If you said there would be
less use of ESP-NULL (w/o a WES header), I would agree. To suggest
otherwise is to pre-suppose that replacing ESP with WESP in general
is a goal, and I certainly don't think the WG has indicated that (nor
is it in scope at this time).
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
