Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
Russ Housley <housley@vigilsec.com> Sat, 19 December 2009 17:50 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 891A63A69DD; Sat, 19 Dec 2009 09:50:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.366
X-Spam-Level:
X-Spam-Status: No, score=-102.366 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXuXZtPTRU9m; Sat, 19 Dec 2009 09:50:28 -0800 (PST)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id 62BF53A690D; Sat, 19 Dec 2009 09:50:28 -0800 (PST)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id EBDC2F24005; Sat, 19 Dec 2009 12:50:23 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 9pF3lDHJFnUo; Sat, 19 Dec 2009 12:50:12 -0500 (EST)
Received: from THINKPADR52.vigilsec.com (pool-173-66-67-45.washdc.fios.verizon.net [173.66.67.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id B8BCC9A472F; Sat, 19 Dec 2009 12:50:22 -0500 (EST)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 19 Dec 2009 12:49:06 -0500
To: "Grewal, Ken" <ken.grewal@intel.com>
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <C49B4B6450D9AA48AB99694D2EB0A4833B89EC35@rrsmsx505.amr.cor p.intel.com>
References: <20091217023458.GA23757@mactavish> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F0B9@il-ex01.ad.checkpoint.com> <19242.7719.715250.335841@fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4833B89EC35@rrsmsx505.amr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-Id: <20091219175022.B8BCC9A472F@odin.smetech.net>
Cc: ipsec@ietf.org, iesg@ietf.org
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 17:50:29 -0000
Ken: >[Ken] I think this is the whole point. All the work on ESP/IPsec >this far has been considering a two party interaction (outside the >multicast context!). Now there is a third party - the middle box, >which would like to gain some additional information in order to >provide valuable network services. The end boxes already know what >is being negotiated, so just making changes to IKE to add additional >capability is insufficient in certain scenarios (while perfectly >sufficient in others). We need to provide additional information in >the data path, hence the need for WESP. I do not agree with your assessment of the situation. I agree with Tero's thoughts. The IPsecME charter includes this work item: A standards-track mechanism that allows an intermediary device, such as a firewall or intrusion detection system, to easily and reliably determine whether an ESP packet is encrypted with the NULL cipher; and if it is, determine the location of the actual payload data inside the packet. The starting points for this work item are draft-grewal-ipsec-traffic-visibility and draft-hoffman-esp-null-protocol. Nothing in this description prepared me for WESP processing of ESP packets with a non-NULL-cipher. It suggests making it easy for the middlebox to gain access to data that is already plaintext. It does not suggest making information available to the middlebox that was previously unavailable to it. Further, based on the discussion that has happened since I posted my DISCUSS position, other IPsecME WG participants are uncomfortable with the direction that WESP has taken. As the discussion progresses, if I can see that these people and myself are in the rough, then I will clear. So far, that does not seem to be the case. Russ
- [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visib… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… gabriel montenegro
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Dan McDonald
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Yaron Sheffer
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Grewal, Ken
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Grewal, Ken
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jari Arkko
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Yaron Sheffer
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Brian Swander
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… gabriel montenegro
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Paul Hoffman
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent