Hi Steve, Please reread my text. I was (in that paragraph) taking Manav's side, i.e. assuming there's value in deterministic distinction between encrypted and unencrypted ESP, and hence, gradually moving the endpoints to WESP so that middleboxes have an easier time.
As we know, this opinion is not shared by everyone. Thanks, Yaron -----Original Message----- From: Stephen Kent [mailto:k...@bbn.com] Sent: Wednesday, January 06, 2010 19:10 To: Yaron Sheffer Cc: Scott C Moonen; Venkatesh Sriram; ipsec@ietf.org; ipsec-boun...@ietf.org Subject: Re: [IPsec] Traffic visibility - consensus call At 5:19 PM +0200 1/6/10, Yaron Sheffer wrote: >I would like to reframe the migration discussion. Manav, Scott and >everyone else, please correct me if I got it wrong. > >Suppose we have a middlebox that can do useful things if it knows >that the flow is unencrypted, and only basic things if it is >encrypted. A load balancer is a good example. > >We are slowly migrating all endpoints in an enterprise to be >WESP-capable. During the migration period, the middlebox sees 3 or 4 >types of traffic: > >1. WESP from the new nodes. >2. Depending on your view of whether we have the bit in question: >encrypted ESP from WESP-capable ("new") nodes. >3. Encrypted ESP from WESP-incapable ("old") nodes. >4. And ESP-null from old nodes. > >Taking Manav's perspective, the middlebox can always use heuristics >to distinguish encrypted ESP from ESP-null. As the number of >WESP-capable nodes grows, it will see less and less ESP, so will >spend ever less CPU power on heuristics. It's not clear why nodes sending encrypted traffic would need to use WESP (vs. native ESP), even if there is a WESP flag that indicates an encrypted payload. Thus I don't agree with the conclusion that over time there would be less ESP over all. If you said there would be less use of ESP-NULL (w/o a WES header), I would agree. To suggest otherwise is to pre-suppose that replacing ESP with WESP in general is a goal, and I certainly don't think the WG has indicated that (nor is it in scope at this time). Steve Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec