Hi Yoav, I see some potential of using WESP in the routing protocols where it helps the end nodes in prioritizing certain control packets over the others.
One could argue that the end nodes know that the packets are NULL encrypted and could use regular ESP as well. The problem with this is that the end nodes then need to install per SPI filter entries which is not scalable. Packets need to be punted to separate queues since Ipsec processing is often done in SW after the packets have been dequeued from the CPU queues. This is not a completely sorted idea and I need to spend more time on this to see if it makes sense .. Cheers, Manav P.S. BTW, one vendor recommends AH for OSPFv3 (despite 4522 stating that as a MAY) since it helps their implementation to prioritize OSPFv3 packets. -----Original Message----- From: Yoav Nir [mailto:[email protected]] Sent: Thursday, January 05, 2012 9:18 PM To: Bhatia, Manav (Manav) Cc: Tero Kivinen; IPsec ME WG List Subject: Re: [IPsec] Avoiding Authentication Header (AH) On Jan 5, 2012, at 4:37 PM, Bhatia, Manav (Manav) wrote: > >> Getting WESP implemented to the boxes will require a lot of time. >> There are still lots of boxes which do not even support IKEv2 (which >> is required for >> WESP) and IKEv2 has been out for 6 years already. AH might already be > > WESP can be used with manual keying the way routing protocols today use ESP > and AH. Hi Manav. I guess it can, but ESP (and AH and presumably WESP) would be implemented at a lower layer than IKE. For some boxes that would be ESP implemented in silicon and IKE implemented in software. So getting your own box to start doing IKEv2 is relatively straightforward - a software fix (even if it's referred to as "firmware"), while WESP would require a new box. Even in software implementations the IPsec is usually considered more "stable" than the IKE code. The big vendors have taken years to implement IKEv2 in regular boxes (as opposed to lab curiosities). I don't see them rushing to implement WESP just to please the middlebox makers. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
