On 04  Jan 2012, at 13:46 , Paul Hoffman wrote:

> On Jan 4, 2012, at 10:37 AM, RJ Atkinson wrote:
>> Neither WESP nor the other document provide a 100% reliable way 
>> to parse-into/parse-past/deep-inspect ESP packets.  One might 
>> wish otherwise, but the reality is that there is no 100%
>> reliable method today.
> 
> Can you give an example where WESP (a protocol that was
> done in this WG) is not 100% reliable for parse-into
> or parse-past? If we need to change the protocol, we should.

Such packets have been encountered by prototype 
implementations in at least one firewall.  I will
certainly encourage those folks to share a sample
packet here, but they don't usually show up at IETF
and can be very shy.

I think WESP was a valiant try, and it seems to work
most of the time.  It is just sad that the result 
just doesn't work in all cases.  

An entirely separate issue is that WESP is not generally
available yet.  One hopes that WESP support will become
available soon, but that's not generally true now.

Yours,

Ran

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to