IETF Logo Mail Archive

Re: [IPsec] Traffic visibility - consensus call

gabriel montenegro <g_e_montenegro@yahoo.com> Tue, 05 January 2010 21:32 UTC

Return-Path: <g_e_montenegro@yahoo.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 987EF3A6938 for <ipsec@core3.amsl.com>; Tue, 5 Jan 2010 13:32:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlhZqi86P73D for <ipsec@core3.amsl.com>; Tue, 5 Jan 2010 13:32:23 -0800 (PST)
Received: from web82604.mail.mud.yahoo.com (web82604.mail.mud.yahoo.com [68.142.201.121]) by core3.amsl.com (Postfix) with SMTP id 0C5EA28C0D9 for <ipsec@ietf.org>; Tue, 5 Jan 2010 13:32:22 -0800 (PST)
Received: (qmail 67858 invoked by uid 60001); 5 Jan 2010 21:32:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1262727138; bh=MyUkNmjGpawQn4x84/VP9J6OXwTcjwOt9eM1S74i5pc=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=6QQt2HODTIt+TiYT68jRrVvbybX4f2mrEVPcxHAE4V+rfdxh0ck6efS1LGC5CBA6npEgWJM0SBmkosDP22pnr8hRNFUnJxYGejOI6q+UtpqGKWfnU35sqaQFmcDcg8G4PHnJsY4bTB2dptAvT0zbhsRNn1A9reqmgda4Z/POFeQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=kEIkk1hAeXloc8J3NN65E6uuzsEuhBxAbimQDgxxNsvewzolSy2RY3eAxP0CtwlAHr6hRTJwrEIr1zuOyWazjc98nMcnYF9CbXxFrcnz/pn1l/jcuj9lejSVK6uk1pYYXL7yitzpPv11Vff3l0fTvmrtUK4LXAOubsKYqKo7v1k=;
Message-ID: <734514.64270.qm@web82604.mail.mud.yahoo.com>
X-YMail-OSG: WTTlctwVM1levOlIhQ1buj0.jhC71LPf8SOeuuKAK..bmflJVoEJqfiw_yBWCnXM7Z1aBy9TZFpuU4PYeTHmYRujvCrttrMSuQejYEiO47Tmaq38F6NFVJHVVQlr_pdxBEJDtS.sBS8cMOE9yjfRXWfG0WvHr.j5EafAc8AJdV5F2.5serInYnfqtYph1oqCHsKMwvpUngrt5urifa8dT2l4zSLbAyvSa0TTUWxF5NQ81femaWJjFXFGcUlL3Jtcs.4bwZ4zAo9ZcgUYrvqIliAwkUcKMfUqbsRk5a3KGMdxROX1HsWSMMpxGa0ySGwEvOHZ9LYUBLUn0Q61GMT7XG.R_kpveAGRzCqGG5s-
Received: from [131.107.0.75] by web82604.mail.mud.yahoo.com via HTTP; Tue, 05 Jan 2010 13:32:18 PST
X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF887A844@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF887A845@il-ex01.ad.checkpoint.com> <C49B4B6450D9AA48AB99694D2EB0A48361A819C5@rrsmsx505.amr.corp.intel.com> <378834.93787.qm@web82602.mail.mud.yahoo.com> <4B43AAF7.8030302@vigilsec.com>
Date: Tue, 05 Jan 2010 13:32:18 -0800
From: gabriel montenegro <g_e_montenegro@yahoo.com>
To: Russ Housley <housley@vigilsec.com>
In-Reply-To: <4B43AAF7.8030302@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Traffic visibility - consensus call
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2010 21:32:24 -0000

Hi Russ,

Some of us believe that allowing WESP to carry encrypted packets is within the charter
(there's some recent messages today to this effect). Unfortunately, there's been wording along the lines
that the working group realized it was going off-charter, but no such conclusion has been
arrived at (and some of us don't share it). 

Without this capability, there is not a complete solution for the charter item as one might still have to use 
heuristics which has some limitations and cost (e.g., per Manav's recent message).

Additionally, allowing WESP to carry encrypted packets does not (at least in my mind)
make it a general alternative for ESP. WESP has certain applicabilities, and when
cooperating with intermediaries is not an issue (e.g., outside of organizational deployments) 
one could use encrypted ESP packets instead.

thanks,

Gabriel



----- Original Message ----
> From: Russ Housley <housley@vigilsec.com>
> To: gabriel montenegro <g_e_montenegro@yahoo.com>
> Cc: "ipsec@ietf.org" <ipsec@ietf.org>
> Sent: Tue, January 5, 2010 1:11:19 PM
> Subject: Re: [IPsec] Traffic visibility - consensus call
> 
> Gabriel:
> 
> This is being discussed to resolve the concerns that I raised in IESG 
> Evaluation.
> 
> When this work was chartered, I expected as simple wrapper.  The charter says:
> 
> > - A standards-track mechanism that allows an intermediary device, such
> > as a firewall or intrusion detection system, to easily and reliably
> > determine whether an ESP packet is encrypted with the NULL cipher; and
> > if it is, determine the location of the actual payload data inside the
> > packet. The starting points for this work item are
> > draft-grewal-ipsec-traffic-visibility and draft-hoffman-esp-null-protocol.
> 
> I think the chartering discussion would have been very different had the charter 
> said that the proposed WG would develop an alternative to ESP.
> 
> Russ
> 
> On 1/5/2010 2:08 PM, gabriel montenegro wrote:
> > But I'd also like to question the process being followed. We've discussed 
> these points numerous times in f2f meetings, on the mailing list, at virtual 
> interims, etc. So I'm surprised to see the already established consensus being 
> questioned all over again.
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email