Re: [IPsec] WESP - Roadmap Ahead

Merike Kaeo <> Thu, 12 November 2009 03:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2DC6E3A6960 for <>; Wed, 11 Nov 2009 19:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QTC0gTjoiVS7 for <>; Wed, 11 Nov 2009 19:49:16 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BED9B28C1ED for <>; Wed, 11 Nov 2009 19:48:45 -0800 (PST)
Received: from [] ([]) (authenticated bits=0) by (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id nAC3n4CK018577 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 11 Nov 2009 19:49:05 -0800
In-Reply-To: <p0624080ac7212e67c860@[]>
References: <> <p06240800c720d4538dd2@[]> <> <p0624080ac7212e67c860@[]>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <>
Content-Transfer-Encoding: 7bit
From: Merike Kaeo <>
Date: Wed, 11 Nov 2009 19:49:29 -0800
To: Stephen Kent <>
X-Mailer: Apple Mail (2.753.1)
Cc: "" <>, "Bhatia, Manav \(Manav\)" <>, Jack Kohn <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2009 03:49:17 -0000

All of the standards I've seen that explicitly define how IPsec is to  
be used for authentication (including RFC 4552 - Authentication/ 
Confidentiality for OSPFv3) say that for authentication ESP-Null MUST  
be used and AH MAY.

Which RFCs specify AH specifically as a MUST for authentication/ 

Now on the flip side, in practical implementations, most vendors I  
know of started off with AH being used for OSPFv3 and I doubt in  
practice people are using ESP-Null.  Would love to be wrong here :)

- merike

On Nov 11, 2009, at 7:28 PM, Stephen Kent wrote:

> At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:
>> Steve,
>>>  I would have no problem deprecating AH in the context of the IPsec
>>>  architecture document, if others agree. It is less efficient  than
>>>  ESP-NULL. However, other WGs have cited AH as the IPsec protocol of
>>>  choice for integrity/authentication in their environments, so there
>>>  will be a need to coordinate with them, and it may be  
>>> unacceptable to
>>>  kill AH as a standalone protocol for them.
>> I agree that it is a trifle too early to start deprecating AH,  
>> though I wouldn't mind doing so. OTOH, don't most WGs already  
>> suggest AH as a MAY, and ESP-NULL as a MUST?
> Not always. For example, I believe that OSPF security makes use of  
> AH, outside the IPsec context.
>> In any case what should be the stand for the newer work that comes  
>> out of these WGs. Should they spell out support for AH, or should  
>> they just be talking about ESP (or ESP-NULL or WESP)?
> I'd recommend ESP-NULL, unless the context on which the operate  
> might require inspection by an intermediate system.
>> If we want to deprecate AH, or at least discourage its use in the  
>> context of the IPSec architecture in the near future then  
>> shouldn't we be working on this?
> Part of the problem is that some WGs want to make use of IPsec  
> protocols outside of the IPsec architecture.
>>  > I am not comfortable with the notion of ESP with WESP.  WESP adds
>>  > more per-packet overhead than ESP, and some users are very  
>> sensitive
>>>  to this aspect of IPsec use. Also, other WG rely on ESP and we  
>>> would
>>>  need to convince them that the packet inspection features of WESP
>>>  merit making changes to their standards, which might be a tough  
>>> sell.
>> I agree. However, we should start socializing WESP in other WGs so  
>> that folks are at least aware of it.
> Agree.
> _______________________________________________
> IPsec mailing list