Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <> Wed, 11 November 2009 20:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B52153A692A for <>; Wed, 11 Nov 2009 12:56:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dNMeD2vVhTEJ for <>; Wed, 11 Nov 2009 12:56:20 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 09D953A68D2 for <>; Wed, 11 Nov 2009 12:56:20 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.63) (envelope-from <>) id 1N8KFD-0001y4-Ay; Wed, 11 Nov 2009 15:56:47 -0500
Mime-Version: 1.0
Message-Id: <p06240800c720d4538dd2@[]>
In-Reply-To: <>
References: <>
Date: Wed, 11 Nov 2009 15:56:39 -0500
To: Jack Kohn <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2009 20:56:20 -0000


I would have no problem deprecating AH in the context of the IPsec 
architecture document, if others agree. It is less efficient  than 
ESP-NULL. However, other WGs have cited AH as the IPsec protocol of 
choice for integrity/authentication in their environments, so there 
will be a need to coordinate with them, and it may be unacceptable to 
kill AH as a standalone protocol for them.

I am not comfortable with the notion of ESP with WESP.  WESP adds 
more per-packet overhead than ESP, and some users are very sensitive 
to this aspect of IPsec use. Also, other WG rely on ESP and we would 
need to convince them that the packet inspection features of WESP 
merit making changes to their standards, which might be a tough sell. 
So, I cannot support this suggestion.