On Jan 5, 2012, at 4:37 PM, Bhatia, Manav (Manav) wrote: > >> Getting WESP implemented to the boxes will require a lot of time. >> There are still lots of boxes which do not even support IKEv2 (which is >> required for >> WESP) and IKEv2 has been out for 6 years already. AH might already be > > WESP can be used with manual keying the way routing protocols today use ESP > and AH.
Hi Manav. I guess it can, but ESP (and AH and presumably WESP) would be implemented at a lower layer than IKE. For some boxes that would be ESP implemented in silicon and IKE implemented in software. So getting your own box to start doing IKEv2 is relatively straightforward - a software fix (even if it's referred to as "firmware"), while WESP would require a new box. Even in software implementations the IPsec is usually considered more "stable" than the IKE code. The big vendors have taken years to implement IKEv2 in regular boxes (as opposed to lab curiosities). I don't see them rushing to implement WESP just to please the middlebox makers. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
