On 04 Jan 2012, at 13:46 , Paul Hoffman wrote: > On Jan 4, 2012, at 10:37 AM, RJ Atkinson wrote: >> Neither WESP nor the other document provide a 100% reliable way >> to parse-into/parse-past/deep-inspect ESP packets. One might >> wish otherwise, but the reality is that there is no 100% >> reliable method today. > > Can you give an example where WESP (a protocol that was > done in this WG) is not 100% reliable for parse-into > or parse-past? If we need to change the protocol, we should.
Such packets have been encountered by prototype implementations in at least one firewall. I will certainly encourage those folks to share a sample packet here, but they don't usually show up at IETF and can be very shy. I think WESP was a valiant try, and it seems to work most of the time. It is just sad that the result just doesn't work in all cases. An entirely separate issue is that WESP is not generally available yet. One hopes that WESP support will become available soon, but that's not generally true now. Yours, Ran _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
