Re: [IPsec] WESP - Roadmap Ahead

Tero Kivinen <> Wed, 11 November 2009 23:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 42A703A6B72 for <>; Wed, 11 Nov 2009 15:56:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WMLlBzWUpa3q for <>; Wed, 11 Nov 2009 15:56:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0E7113A6993 for <>; Wed, 11 Nov 2009 15:56:26 -0800 (PST)
Received: from (localhost []) by (8.14.3/8.14.3) with ESMTP id nABNuqkG028957 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Nov 2009 01:56:52 +0200 (EET)
Received: (from kivinen@localhost) by (8.14.3/8.12.11) id nABNuqeN006455; Thu, 12 Nov 2009 01:56:52 +0200 (EET)
X-Authentication-Warning: kivinen set sender to using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Thu, 12 Nov 2009 01:56:52 +0200
From: Tero Kivinen <>
To: Scott C Moonen <>
In-Reply-To: <>
References: <> <>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 4 min
X-Total-Time: 3 min
Cc:, Jack Kohn <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2009 23:56:28 -0000

Scott C Moonen writes:
> Jack, I'm not sure it's clear yet whether WESP will be widely adopted. 
> There's disagreement between end-node and middle-node folks as to whether 
> WESP or heuristics are the best approach for inspection of ESP-NULL 
> traffic.  I think that end-node vendors will be very reluctant to adopt 
> WESP widely until there is broad customer demand for it, and I'm not sure 
> that this demand will ever materialize.

I agree on that... 

> This is all my personal opinion, of course.  But it seems to me that 
> heuristics will have to be adopted by competitive middle-node vendors, and 
> therefore (barring any extensions to WESP that make it attractive for 
> other reasons) the use of heuristics will probably always be more 
> widespread and will dampen the demand for WESP.  Additionally, ESP-NULL 
> itself has rather narrow applicability in an environment where end-to-end 
> encryption is increasingly common, which further limits the cases where 
> there will be an absolute need for WESP.  Furthermore, there will always 
> be valid reasons to use AH (reduced overhead compared to WESP).

And wider protection, i.e. IP addresses and options... 

> For reasons like these, I believe it's premature to call for deprecation 
> of AH and even more premature to start preferring WESP to ESP.

Agree on that too. 

> What status will the WESP RFC have?  Experimental, informational, 
> standards track, etc.?

It is aimed for proposed standard, altough I would be happier if would
be aimed for experimental.