Re: [IPsec] Traffic visibility - consensus call

stics entirely during migration. So carrying encrypted traffic in WESP is very valuable (and in charter). bs -Original Message- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Tero Kivinen Sent: Friday, January 08, 2010 3:58 AM To: Brian Swander Cc: ipsec@iet

Re: [IPsec] Traffic visibility - consensus call

rt of justification is needed to progress here? bs -Original Message- From: Stephen Kent [mailto:k...@bbn.com] Sent: Thursday, January 07, 2010 3:41 PM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley Subject: Re: [IPsec] Traffic visibility - consensus call At 8:06 PM + 1/7/10,

Re: [IPsec] Traffic visibility - consensus call

to deploy, and how can we enable them to do it. bs -Original Message- From: Stephen Kent [mailto:k...@bbn.com] Sent: Thursday, January 07, 2010 11:09 AM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley Subject: RE: [IPsec] Traffic visibility - consensus call At 5:13 PM +0000 1/7/10

Re: [IPsec] Traffic visibility - consensus call

ither working in isolation and in complete distrust of the other. -Original Message- From: Brian Swander Sent: Thursday, January 07, 2010 9:14 AM To: 'Stephen Kent' Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro Subject: RE: [IPsec] Traffic visibility - consensus call I

Re: [IPsec] Traffic visibility - consensus call

aries - although clearly security intermediaries are important here, too. bs -Original Message- From: Stephen Kent [mailto:k...@bbn.com] Sent: Thursday, January 07, 2010 8:10 AM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro Subject: Re: [IPsec] Traffic visib

Re: [IPsec] Traffic visibility - consensus call

esday, January 06, 2010 1:01 PM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro; Stephen Kent Subject: RE: [IPsec] Traffic visibility - consensus call At 7:55 PM + 1/6/10, Brian Swander wrote: >I trust my clarification (to Yaron) addressed these questions. Let >me kn

Re: [IPsec] Traffic visibility - consensus call

os can leverage them, too). bs From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yaron Sheffer Sent: Wednesday, January 06, 2010 11:54 AM To: Brian Swander; Stephen Kent Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro Subject: Re: [IPsec] Traffic visibility - consensus

Re: [IPsec] Traffic visibility - consensus call

I trust my clarification (to Yaron) addressed these questions. Let me know if there are any outstanding. bs From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Stephen Kent Sent: Wednesday, January 06, 2010 11:45 AM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley

Re: [IPsec] Traffic visibility - consensus call

can't assume intermediaries must implement heuristics. bs From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yaron Sheffer Sent: Wednesday, January 06, 2010 11:21 AM To: Brian Swander; Stephen Kent Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro Subject:

Re: [IPsec] Traffic visibility - consensus call

achines to accomplish this. Routing infrastructure that doesn't do heuristics Requires intermediaries that can do full ESP-NULL parsing. bs -Original Message- From: Paul Hoffman [mailto:paul.hoff...@vpnc.org] Sent: Wednesday, January 06, 2010 10:21 AM To: Brian Swander; gabriel m

Re: [IPsec] Traffic visibility - consensus call

See my response to Stephen Kent, and let me know if that doesn't clarify adequately. bs From: Scott C Moonen [mailto:smoo...@us.ibm.com] Sent: Wednesday, January 06, 2010 11:00 AM To: Brian Swander Cc: gabriel montenegro; Russ Housley; ipsec@ietf.org; ipsec-boun...@ietf.org; Stephen

Re: [IPsec] Traffic visibility - consensus call

f Stephen Kent Sent: Wednesday, January 06, 2010 10:37 AM To: Brian Swander Cc: ipsec@ietf.org; Russ Housley; gabriel montenegro Subject: Re: [IPsec] Traffic visibility - consensus call At 5:42 PM +0000 1/6/10, Brian Swander wrote: The uplevel machines can't use ESP to send the encrypted

Re: [IPsec] Traffic visibility - consensus call

? We must make sure that we have a solution that is deployable and useful in the real world. bs -Original Message- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Paul Hoffman Sent: Wednesday, January 06, 2010 9:50 AM To: Brian Swander; gabriel montenegro; Ru

Re: [IPsec] Traffic visibility - consensus call

heuristics. Intermediaries would be configured (in this scenario) to assume that ESP always means ESP-NULL. bs -Original Message- From: Stephen Kent [mailto:k...@bbn.com] Sent: Wednesday, January 06, 2010 7:07 AM To: Brian Swander Cc: gabriel montenegro; Russ Housley; ipsec@ietf.org Subject:

Re: [IPsec] Traffic visibility - consensus call

Take a look at the policy sketch I sent our yesterday for how to roll this out in a mixed mode environment. That should clarify all your questions. bs From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Scott C Moonen Sent: Wednesday, January 06, 2010 5:38 AM To: Venka

Re: [IPsec] Traffic visibility - consensus call

I'll resend my message from earlier today that gives a concrete scenario for why the WESP encryption bit is in charter. To satisfy the existing charter item, we need a deployable solution, which entails working with legacy systems that don't support this functionality yet. Here's an explic

Re: [IPsec] Traffic visibility - consensus call

Yes to both. To elaborate on what Ken said, here's an explicit scenario that requires the encrypted bit for WESP, fully within the current charter of enabling ESP-NULL inspection. Transport policies for within an organization that want to enable intermediary inspection of ESP-NULL non-heurisit

Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

I took Russ' comments about "being in the rough" to imply that we're re-opening the consensus discussion. I'm not sure why we're reopening this, since we already got consensus on this when it came up the first time. Since many of our internal guys are already out for the holidays, I can't see

Re: [IPsec] Proposed work item: WESP extensibility

AH alone isn't good enough. We need solutions that also work with end-to-end encryption. bs -Original Message- From: Tero Kivinen [mailto:kivi...@iki.fi] Sent: Tuesday, December 08, 2009 3:26 AM To: Brian Swander Cc: Stephen Kent; ipsec@ietf.org Subject: Re: [IPsec] Proposed work

Re: [IPsec] Proposed work item: WESP extensibility

extension proposal does. bs -Original Message----- From: Brian Swander Sent: Monday, December 07, 2009 10:25 AM To: 'Stephen Kent' Cc: ipsec@ietf.org Subject: RE: [IPsec] Proposed work item: WESP extensibility 0 - option data does not change en-route. This option is incl

Re: [IPsec] Proposed work item: WESP extensibility

this, and just have the end systems send fully encrypted packets thru the now totally blind intermediaries like we have today. bs -Original Message- From: Stephen Kent [mailto:k...@bbn.com] Sent: Monday, December 07, 2009 7:46 AM To: Brian Swander Cc: ipsec@ietf.org Subject: Re: [IPsec

Re: [IPsec] Proposed work item: WESP extensibility - YES

I am interested in WESP extensibility proceeding as a chartered work item. I will commit to reviewing the draft, and providing text. I don't need to be a co-author. bs From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yaron Sheffer Sent: Sunday, November 29, 2009 9:2

Re: [IPsec] Proposed work item: WESP extensibility

(Apologies if this is a dupe. I sent it out yesterday, but it still hasn't shown up on the list yet, so I figured I better resend from a different account). Here is another WESP extension that we are interested in. Packet Contents Option 0 1 2