IETF Logo Mail Archive

Re: [IPsec] WESP and reliability

Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 04 January 2012 19:58 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7590711E8088 for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 11:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.373
X-Spam-Level:
X-Spam-Status: No, score=-103.373 tagged_above=-999 required=5 tests=[AWL=0.226, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAb-YbA6zuKd for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 11:58:56 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 518E311E8079 for <ipsec@ietf.org>; Wed, 4 Jan 2012 11:58:56 -0800 (PST)
Received: by eekc14 with SMTP id c14so15830019eek.31 for <ipsec@ietf.org>; Wed, 04 Jan 2012 11:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=NC90Ul+7veiFdQotqXPSuhx0bn3gsZrWIkNM9geXE1Q=; b=NtdKK8QVvDdig5+vb85ZmrMavKptMzpkkSZesi+HZ0VvANGHRKCLXtUX+wy6IAf3S5 g9zZJVkw5cqiXf+cFPJtmsF012GgvcibzRTIUUiYGa8Km+wtXcDzNJKWaMRKMA0wAo/E xUVMCZOubR2vMclsgJJkp/5XUDFO/1d37v5X0=
Received: by 10.14.11.142 with SMTP id 14mr24235148eex.9.1325707135320; Wed, 04 Jan 2012 11:58:55 -0800 (PST)
Received: from [10.0.0.6] ([109.67.155.85]) by mx.google.com with ESMTPS id q67sm161914984eea.8.2012.01.04.11.58.53 (version=SSLv3 cipher=OTHER); Wed, 04 Jan 2012 11:58:54 -0800 (PST)
Message-ID: <4F04AF7B.1010005@gmail.com>
Date: Wed, 04 Jan 2012 21:58:51 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: RJ Atkinson <rja.lists@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com> <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com> <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com> <CAK3OfOg0Gsxxf8T66XNVLHtR1Tk9yHFDGw96tr0UkEh6x5uYpQ@mail.gmail.com> <48CB2A9F-D59C-462F-8C7A-82127A217703@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D028A2AE4@INBANSXCHMBSA1.in.alcatel-lucent.com> <5C745AC3-FA25-42BE-9848-DDEA3078A1FF@gmail.com> <493ECD00-71C7-4471-9B33-9F7F903ECB14@vpnc.org> <541DCEA7-C5A6-42C6-A1CB-DCF91677FB08@gmail.com>
In-Reply-To: <541DCEA7-C5A6-42C6-A1CB-DCF91677FB08@gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] WESP and reliability
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 19:58:57 -0000

Hi Ran,

I find the situation quite amusing, with fleeting little packets, timid 
engineers, and valiant standards people playing in this drama.

But seriously, could it be that you're confusing the (AFAIK) fully 
deterministic WESP (RFC 5840) with the non-deterministic heuristic 
method (RFC 5879)? Or else is there anything missing in WESP that we 
should pay attention to, for example, maybe it doesn't support specific 
IV or ICV sizes that those non IETF-goers are using?

Thanks,
Yaron

On 01/04/2012 08:59 PM, RJ Atkinson wrote:
> On 04  Jan 2012, at 13:46 , Paul Hoffman wrote:
>
>> On Jan 4, 2012, at 10:37 AM, RJ Atkinson wrote:
>>> Neither WESP nor the other document provide a 100% reliable way
>>> to parse-into/parse-past/deep-inspect ESP packets.  One might
>>> wish otherwise, but the reality is that there is no 100%
>>> reliable method today.
>> Can you give an example where WESP (a protocol that was
>> done in this WG) is not 100% reliable for parse-into
>> or parse-past? If we need to change the protocol, we should.
> Such packets have been encountered by prototype
> implementations in at least one firewall.  I will
> certainly encourage those folks to share a sample
> packet here, but they don't usually show up at IETF
> and can be very shy.
>
> I think WESP was a valiant try, and it seems to work
> most of the time.  It is just sad that the result
> just doesn't work in all cases.
>
> An entirely separate issue is that WESP is not generally
> available yet.  One hopes that WESP support will become
> available soon, but that's not generally true now.
>
> Yours,
>
> Ran
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email