Bhatia, Manav (Manav) writes:
> 
> > Getting WESP implemented to the boxes will require a lot of time.
> > There are still lots of boxes which do not even support IKEv2
> > (which is required for WESP) and IKEv2 has been out for 6 years
> > already. AH might already be
> 
> WESP can be used with manual keying the way routing protocols today
> use ESP and AH. 

Hmm... RFC5840 says:

----------------------------------------------------------------------
2.3.  IKE Considerations

   This document assumes that WESP negotiation is performed using IKEv2.
...
----------------------------------------------------------------------

It seems the RFC5840 assumes you use IKEv2, but there might be some
other document to specify manual keying for WESP. Or it could be said
that RFC4301 section 4.5.1 covers also WESP... Actually I think it
will.

Anyways do you really think manually keyed WESP is feasible method to
be used in large enterprises requiring deep packet inspection just so
they do not need to replace obsoleted IKEv1 protocol with much better
and actually working IKEv2?

And why would routing protocols need to use WESP, I would assume they
use ESP-NULL instead. In addition if you use manual keying you can
also use mandated by policy "100% reliable" heuristics method from
RFC5879 section 2.2.
-- 
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to