Hi, As we near publication of the WESP and Heuristics drafts, we'd like to make sure that the WG consensus is clearly expressed in both documents. So we propose to include the following note as a section in both documents. Please let us know if this works for you:
-- begin text
Applicability: Heuristic Traffic Inspection and Wrapped ESP
-----------------------------------------------------------
There are two ways to enable intermediate security devices to distinguish
between encrypted and unencrypted ESP traffic:
- The heuristics approach [heuristics I-D] has the intermediate node inspect
the unchanged ESP traffic, to determine with extremely high probability
whether or not the traffic stream is encrypted.
- The Wrapped ESP approach [WESP I-D], in contrast, requires the ESP
endpoints to be modified to support the new protocol. WESP allows the
intermediate node to distinguish encrypted and unencrypted traffic
deterministically, using a simpler implementation for the intermediate node.
Both approaches are being documented simultaneously by the IPsecME Working
Group, with WESP being put on Standards Track while the heuristics approach
is being published as an Informational RFC. While endpoints are being
modified to adopt WESP, we expect both approaches to coexist for years,
because the heuristic approach is needed to inspect traffic where at least
one of the endpoints has not been modified. In other words, intermediate
nodes are expected to support both approaches in order to achieve good
security and performance during the transition period.
-- end text
[Note: both references are non-normative.]
Currently both documents have direct or indirect references to one another,
but they are not exactly in line with the consensus we have reached. In both
cases the emphasis is on the two solutions competing with one another,
rather than complementing each other.
Thanks,
Yaron
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
