On Tue, Jan 05, 2010 at 02:52:55PM +0200, Tero Kivinen wrote: <SNIP!>
> If we really want to make WESP as specified in the charter, it would > be much better to make it so it can be added incrementally to the ESP > processing, i.e. just like UDP encapsulation for NAT-traversal can be > do. This would mean that the WESP processing could be applied after > the normal ESP processing, and WESP would simply add extra header to > the beginning, and nothing else. The current draft already makes sure > all the fields in the WESP header are verified by the IPsec recipient > thus there is really no need to add ICV to cover them (if extensions > are added then ICV needs cover them, which makes it impossible to > implement WESP as incremental change to ESP). Yes -- this would allow WESP to be an attribute one adds to an ESP SA. Not unlike NAT-Traversal, it could be negotiated by IKE. Dan _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
