Re: [IPsec] Traffic visibility - consensus call

Wed, 06 Jan 2010 10:56:55 -0800 

Hi Steve,

Please reread my text. I was (in that paragraph) taking Manav's side, i.e. 
assuming there's value in deterministic distinction between encrypted and 
unencrypted ESP, and hence, gradually moving the endpoints to WESP so that 
middleboxes have an easier time.

As we know, this opinion is not shared by everyone.

Thanks,
        Yaron

-----Original Message-----
From: Stephen Kent [mailto:[email protected]] 
Sent: Wednesday, January 06, 2010 19:10
To: Yaron Sheffer
Cc: Scott C Moonen; Venkatesh Sriram; [email protected]; [email protected]
Subject: Re: [IPsec] Traffic visibility - consensus call

At 5:19 PM +0200 1/6/10, Yaron Sheffer wrote:
>I would like to reframe the migration discussion. Manav, Scott and 
>everyone else, please correct me if I got it wrong.
>
>Suppose we have a middlebox that can do useful things if it knows 
>that the flow is unencrypted, and only basic things if it is 
>encrypted. A load balancer is a good example.
>
>We are slowly migrating all endpoints in an enterprise to be 
>WESP-capable. During the migration period, the middlebox sees 3 or 4 
>types of traffic:
>
>1. WESP from the new nodes.
>2. Depending on your view of whether we have the bit in question: 
>encrypted ESP from WESP-capable ("new") nodes.
>3. Encrypted ESP from WESP-incapable ("old") nodes.
>4. And ESP-null from old nodes.
>
>Taking Manav's perspective, the middlebox can always use heuristics 
>to distinguish encrypted ESP from ESP-null. As the number of 
>WESP-capable nodes grows, it will see less and less ESP, so will 
>spend ever less CPU power on heuristics.

It's not clear why nodes sending encrypted traffic would need to use 
WESP (vs. native ESP), even if there is a WESP flag that indicates an 
encrypted payload. Thus I don't agree with the conclusion that over 
time there would be less ESP over all. If you said there would be 
less use of ESP-NULL (w/o a WES header), I would agree. To suggest 
otherwise is to pre-suppose that replacing ESP with WESP in general 
is a goal, and I certainly don't think the WG has indicated that (nor 
is it in scope at this time).

Steve

Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to