Re: [IPsec] WESP - Roadmap Ahead

"Bhatia, Manav (Manav)" <> Thu, 12 November 2009 02:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BAE6E3A68FC for <>; Wed, 11 Nov 2009 18:14:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1T77fv+Gcd-z for <>; Wed, 11 Nov 2009 18:14:35 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B3FE53A689F for <>; Wed, 11 Nov 2009 18:14:35 -0800 (PST)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id nAC2F1dm019957; Wed, 11 Nov 2009 20:15:01 -0600 (CST)
Received: from ( []) by (8.13.8/emsr) with ESMTP id nAC2EwWg018523; Wed, 11 Nov 2009 20:14:59 -0600 (CST)
Received: from ( []) by (8.13.7/8.13.7/Alcanet1.0) with ESMTP id nAC2HhSM016330; Thu, 12 Nov 2009 10:17:43 +0800
Received: from ([]) by ([]) with mapi; Thu, 12 Nov 2009 07:44:56 +0530
From: "Bhatia, Manav (Manav)" <>
To: Stephen Kent <>, Jack Kohn <>
Date: Thu, 12 Nov 2009 07:44:55 +0530
Thread-Topic: [IPsec] WESP - Roadmap Ahead
Thread-Index: AcpjEZq5yyREj0RRRIaIg15Xsq/aBgAKs2SQ
Message-ID: <>
References: <> <p06240800c720d4538dd2@[]>
In-Reply-To: <p06240800c720d4538dd2@[]>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on
X-Scanned-By: MIMEDefang 2.64 on
Cc: "" <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2009 02:14:36 -0000


> I would have no problem deprecating AH in the context of the IPsec 
> architecture document, if others agree. It is less efficient  than 
> ESP-NULL. However, other WGs have cited AH as the IPsec protocol of 
> choice for integrity/authentication in their environments, so there 
> will be a need to coordinate with them, and it may be unacceptable to 
> kill AH as a standalone protocol for them.

I agree that it is a trifle too early to start deprecating AH, though I wouldn't mind doing so. OTOH, don't most WGs already suggest AH as a MAY, and ESP-NULL as a MUST?  In any case what should be the stand for the newer work that comes out of these WGs. Should they spell out support for AH, or should they just be talking about ESP (or ESP-NULL or WESP)?

If we want to deprecate AH, or at least discourage its use in the context of the IPSec architecture in the near future then shouldn't we be working on this?

> I am not comfortable with the notion of ESP with WESP.  WESP adds 
> more per-packet overhead than ESP, and some users are very sensitive 
> to this aspect of IPsec use. Also, other WG rely on ESP and we would 
> need to convince them that the packet inspection features of WESP 
> merit making changes to their standards, which might be a tough sell. 

I agree. However, we should start socializing WESP in other WGs so that folks are at least aware of it. 

Cheers, Manav

> So, I cannot support this suggestion.
> Steve
> _______________________________________________
> IPsec mailing list