At 5:20 PM +0000 12/9/09, Brian Swander wrote:
AH alone isn't good enough. We need solutions that also work with
end-to-end encryption.
bs
I think you are saying that it is a goal of those who are proposing
the WESP extension work item to move beyond the original, stated
goals of WESP, and provide middleboxes the ability to examine
purported contents of encrypted packets. I will observe that this
notion suggests copying portions of plaintext that is being encrypted
into a WESP extension header, which is close to the partial
encryption proposals that the IPSEC Wg rejected on multiple
occasions, for secruity reasons.
I also note that my last two e-mail exchanges with Jack Kohn did not
elicit a clarification of the one vs. many SAs issue that was raised
in the context of OSPFv3 use of IPsec, as part of the justification
for using WESP there. Absent a definitive statement that this
context requires a lot of SAs, the arguments put forth about the need
for ESP in that context are moot.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
