Hi Ran,
I find the situation quite amusing, with fleeting little packets, timid
engineers, and valiant standards people playing in this drama.
But seriously, could it be that you're confusing the (AFAIK) fully
deterministic WESP (RFC 5840) with the non-deterministic heuristic
method (RFC 5879)? Or else is there anything missing in WESP that we
should pay attention to, for example, maybe it doesn't support specific
IV or ICV sizes that those non IETF-goers are using?
Thanks,
Yaron
On 01/04/2012 08:59 PM, RJ Atkinson wrote:
On 04 Jan 2012, at 13:46 , Paul Hoffman wrote:
On Jan 4, 2012, at 10:37 AM, RJ Atkinson wrote:
Neither WESP nor the other document provide a 100% reliable way
to parse-into/parse-past/deep-inspect ESP packets. One might
wish otherwise, but the reality is that there is no 100%
reliable method today.
Can you give an example where WESP (a protocol that was
done in this WG) is not 100% reliable for parse-into
or parse-past? If we need to change the protocol, we should.
Such packets have been encountered by prototype
implementations in at least one firewall. I will
certainly encourage those folks to share a sample
packet here, but they don't usually show up at IETF
and can be very shy.
I think WESP was a valiant try, and it seems to work
most of the time. It is just sad that the result
just doesn't work in all cases.
An entirely separate issue is that WESP is not generally
available yet. One hopes that WESP support will become
available soon, but that's not generally true now.
Yours,
Ran
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec