Ran, 

> Such packets have been encountered by prototype implementations in at least 
> one firewall.  
> I will certainly encourage those folks to share a sample packet here, but 
> they don't 
> usually show up at IETF and can be very shy.
>
> I think WESP was a valiant try, and it seems to work most of the time.  
> It is just sad that the result just doesn't work in all cases.  

As a co-author of WESP I can tell you that the design was whetted by several HW 
teams and it works *all* the time. The design was reviewed and approved by 
major silicon vendors and fortunately for you I am not speaking for a few shy 
people who refuse to be recognized, but some very audacious people who have 
sent their approval mails on this mailing list and have stood up and spoken in 
favor of the WESP design - multiple times.

The NIST Guidelines for Secure IPv6 deployment also refers to WESP as a 
protocol that can be used to disambiguate ESP-NULL from encrypted ESP packets. 
A SW division of NIST has already started working on supporting WESP.

Given this I would appreciate if you can stop your rant against WESP till you 
come up with a real technical reason of why you think WESP is unreliable and 
"just doesn't work in all cases".

Cheers, Manav
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to