Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <> Thu, 12 November 2009 03:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D335A3A67AD for <>; Wed, 11 Nov 2009 19:29:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.517
X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Fr08PMYRlDUD for <>; Wed, 11 Nov 2009 19:29:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 18F123A676A for <>; Wed, 11 Nov 2009 19:29:44 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.63) (envelope-from <>) id 1N8QNu-0000gK-9x; Wed, 11 Nov 2009 22:30:10 -0500
Mime-Version: 1.0
Message-Id: <p0624080ac7212e67c860@[]>
In-Reply-To: <>
References: <> <p06240800c720d4538dd2@[]> <>
Date: Wed, 11 Nov 2009 22:28:25 -0500
To: "Bhatia, Manav (Manav)" <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "" <>, Jack Kohn <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2009 03:29:44 -0000

At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:
>>  I would have no problem deprecating AH in the context of the IPsec
>>  architecture document, if others agree. It is less efficient  than
>>  ESP-NULL. However, other WGs have cited AH as the IPsec protocol of
>>  choice for integrity/authentication in their environments, so there
>>  will be a need to coordinate with them, and it may be unacceptable to
>>  kill AH as a standalone protocol for them.
>I agree that it is a trifle too early to start deprecating AH, 
>though I wouldn't mind doing so. OTOH, don't most WGs already 
>suggest AH as a MAY, and ESP-NULL as a MUST?

Not always. For example, I believe that OSPF security makes use of 
AH, outside the IPsec context.

>In any case what should be the stand for the newer work that comes 
>out of these WGs. Should they spell out support for AH, or should 
>they just be talking about ESP (or ESP-NULL or WESP)?

I'd recommend ESP-NULL, unless the context on which the operate might 
require inspection by an intermediate system.

>If we want to deprecate AH, or at least discourage its use in the 
>context of the IPSec architecture in the near future then shouldn't 
>we be working on this?

Part of the problem is that some WGs want to make use of IPsec 
protocols outside of the IPsec architecture.

>  > I am not comfortable with the notion of ESP with WESP.  WESP adds
>  > more per-packet overhead than ESP, and some users are very sensitive
>>  to this aspect of IPsec use. Also, other WG rely on ESP and we would
>>  need to convince them that the packet inspection features of WESP
>>  merit making changes to their standards, which might be a tough sell.
>I agree. However, we should start socializing WESP in other WGs so 
>that folks are at least aware of it.