On Mon, Mar 02, 2026 at 08:18:56AM -0800, [email protected] wrote: > Internet-Draft draft-ietf-ipsecme-eesp-03.txt is now available. It is a work > item of the IP Security Maintenance and Extensions (IPSECME) WG of the IETF. > > Title: Enhanced Encapsulating Security Payload (EESP) > Authors: Steffen Klassert > Antony Antony > Christian Hopps > Name: draft-ietf-ipsecme-eesp-03.txt > Pages: 44 > Dates: 2026-03-02 > > Abstract: > > This document describes the Enhanced Encapsulating Security Payload > (EESP) protocol, which builds on the existing IP Encapsulating > Security Payload (ESP) protocol. It is designed to modernize and > overcome limitations in the ESP protocol. > > EESP adds Session IDs (e.g., to support CPU pinning and QoS support > based on the inner traffic flow), changes some previously mandatory > fields to optional, and moves the ESP trailer into the EESP header. > Additionally, EESP adds header options adapted from IPv6 to allow for > future extension. New header options are defined which add a crypt- > offset to allow for exposing inner flow information for middlebox > use. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-eesp/
We don't present at the IETF 125 meeting about the EESP work, so here is a changelog for the latest version. We worked in the discussion results from IETF 124. From our perspective, the draft is complete now. Changelog: - Core scope tightened around Session ID + Crypt Offset: - Flow Identifier Option removed from the base option set in this draft. - Option set now: Pad1, PadN, Crypt Offset. - Session ID text clarified as Sub SA ID / flow-identification vehicle. - Crypt Offset option layout simplified: - Former R(2)+F(2) bits replaced by R(4) reserved bits. - PSP-specific flag semantics removed from this base document. - Packet-format rules made normative and stricter: - Tunnel mode: Optimized format MUST be used. - Transport/BEET/IP-TFS: Full format MUST be used. - Added explicit mode-to-format mapping table. - Payload Info Header requirements clarified: - Presence depends on mode and whether Next Header/Pad Length can be inferred. - Sub-SA sequence/replay handling clarified: - Added explicit per-Sub-SA counter behavior and rollover/reset expectations. - Processing text updates: - Layer-4 encapsulation modes (Transport/BEET) explicitly require Full Packet Format. - Tunnel mode section explicitly requires Optimized Packet Format. - BEET mode processing text expanded for clarity. - IANA/registry updates: - EESP options registry no longer assigns value 3 to FID. - Now effectively: 0 Pad1, 1 PadN, 2 Crypt Offset, 3-223 Unassigned, 224-255 Private. Steffen _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
