Hi Ran,

I find the situation quite amusing, with fleeting little packets, timid engineers, and valiant standards people playing in this drama.

But seriously, could it be that you're confusing the (AFAIK) fully deterministic WESP (RFC 5840) with the non-deterministic heuristic method (RFC 5879)? Or else is there anything missing in WESP that we should pay attention to, for example, maybe it doesn't support specific IV or ICV sizes that those non IETF-goers are using?

Thanks,
Yaron

On 01/04/2012 08:59 PM, RJ Atkinson wrote:
On 04  Jan 2012, at 13:46 , Paul Hoffman wrote:

On Jan 4, 2012, at 10:37 AM, RJ Atkinson wrote:
Neither WESP nor the other document provide a 100% reliable way
to parse-into/parse-past/deep-inspect ESP packets.  One might
wish otherwise, but the reality is that there is no 100%
reliable method today.
Can you give an example where WESP (a protocol that was
done in this WG) is not 100% reliable for parse-into
or parse-past? If we need to change the protocol, we should.
Such packets have been encountered by prototype
implementations in at least one firewall.  I will
certainly encourage those folks to share a sample
packet here, but they don't usually show up at IETF
and can be very shy.

I think WESP was a valiant try, and it seems to work
most of the time.  It is just sad that the result
just doesn't work in all cases.

An entirely separate issue is that WESP is not generally
available yet.  One hopes that WESP support will become
available soon, but that's not generally true now.

Yours,

Ran

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to