Bhatia, Manav (Manav) writes: > > > Getting WESP implemented to the boxes will require a lot of time. > > There are still lots of boxes which do not even support IKEv2 > > (which is required for WESP) and IKEv2 has been out for 6 years > > already. AH might already be > > WESP can be used with manual keying the way routing protocols today > use ESP and AH.
Hmm... RFC5840 says: ---------------------------------------------------------------------- 2.3. IKE Considerations This document assumes that WESP negotiation is performed using IKEv2. ... ---------------------------------------------------------------------- It seems the RFC5840 assumes you use IKEv2, but there might be some other document to specify manual keying for WESP. Or it could be said that RFC4301 section 4.5.1 covers also WESP... Actually I think it will. Anyways do you really think manually keyed WESP is feasible method to be used in large enterprises requiring deep packet inspection just so they do not need to replace obsoleted IKEv1 protocol with much better and actually working IKEv2? And why would routing protocols need to use WESP, I would assume they use ESP-NULL instead. In addition if you use manual keying you can also use mandated by policy "100% reliable" heuristics method from RFC5879 section 2.2. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
