Re: [IPsec] Traffic visibility - consensus call
Min Huang <huangmin@huaweisymantec.com> Mon, 11 January 2010 06:38 UTC
Return-Path: <huangmin@huaweisymantec.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C173E3A69B9 for <ipsec@core3.amsl.com>; Sun, 10 Jan 2010 22:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHymZBBqKzxJ for <ipsec@core3.amsl.com>; Sun, 10 Jan 2010 22:38:02 -0800 (PST)
Received: from mta2.huaweisymantec.com (unknown [218.17.155.15]) by core3.amsl.com (Postfix) with ESMTP id A655A3A68AB for <ipsec@ietf.org>; Sun, 10 Jan 2010 22:38:02 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from hstml01-in.huaweisymantec.com ([172.26.3.42]) by hstga02-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTP id <0KW2003TGL31EK60@hstga02-in.huaweisymantec.com> for ipsec@ietf.org; Mon, 11 Jan 2010 14:37:49 +0800 (CST)
Received: from h00104745 ([10.27.154.97]) by hstml01-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTPA id <0KW2000F2L30QA10@hstml01-in.huaweisymantec.com> for ipsec@ietf.org; Mon, 11 Jan 2010 14:37:48 +0800 (CST)
From: Min Huang <huangmin@huaweisymantec.com>
To: Yaron Sheffer <yaronf@checkpoint.com>
Date: Mon, 11 Jan 2010 14:37:48 +0800
Message-id: <002b01ca9288$97867760$619a1b0a@china.huawei.com>
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-index: AcqSiJcY0j/cHXB+QFCBKHYFTxwJMw==
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Traffic visibility - consensus call
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2010 06:38:03 -0000
YES to both. The WESP header provides a kind of rapid *deterministic* detection method for ESP_NULL packet. The heuristics method is too complex and it calls for more computing resource and computing time. I doubt the middle box whether will support the heuristics method for ESP_NULL detection. Although including the WESP header into ESP ICV calculation seems modifying ESP, it is necessary to check the WESP header integrity for counter certain attacks. The explicit WESP integrity calculation is OK for me, too. I support WESP for encrypted ESP flow. WESP has the capacity to provide more functions by future extensibility than just traffic visibility for ESP_NULL. Nowadays ESP is used much more widely for encrypted flow than ESP_NULL flow. It is meaningful for middle detection machines to have the ability to detecting encrypted traffic. And then WESP could provide this kind of traffic visibility for both encrypted flow and unencrypted flow in future. regards, Min -----Original Message----- From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org <javascript:main.compose('new', 't=ipsec-bounces@ietf.org')> ] On Behalf Of Yaron Sheffer Sent: Tuesday, January 05, 2010 6:27 AM To: ipsec@ietf.org Subject: [IPsec] Traffic visibility - consensus call Hi, We have had a few "discusses" during the IESG review of the WESP draft. To help resolve them, we would like to reopen the following two questions to WG discussion. Well reasoned answers are certainly appreciated. But plain "yes" or "no" would also be useful in judging the group's consensus. - The current draft (http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11) <http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11)> defines the ESP trailer's ICV calculation to include the WESP header. This has been done to counter certain attacks, but it means that WESP is no longer a simple wrapper around ESP - ESP itself is modified. Do you support this design decision? - The current draft allows WESP to be applied to encrypted ESP flows, in addition to the originally specified ESP-null. This was intended so that encrypted flows can benefit from the future extensibility offered by WESP. But arguably, it positions WESP as an alternative to ESP. Do you support this design decision? Thanks, Yaron _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
- [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Yoav Nir
- Re: [IPsec] Traffic visibility - consensus call Scott C Moonen
- [IPsec] Traffic visibility - consensus call Tero Kivinen
- Re: [IPsec] Traffic visibility - consensus call Dan McDonald
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call gabriel montenegro
- Re: [IPsec] Traffic visibility - consensus call Paul Hoffman
- Re: [IPsec] Traffic visibility - consensus call gabriel montenegro
- Re: [IPsec] Traffic visibility - consensus call Paul Hoffman
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Mark Vondemkamp
- Re: [IPsec] Traffic visibility - consensus call Russ Housley
- Re: [IPsec] Traffic visibility - consensus call gabriel montenegro
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Russ Housley
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Joseph Tardo
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Bhatia, Manav (Manav)
- Re: [IPsec] Traffic visibility - consensus call gabriel montenegro
- Re: [IPsec] Traffic visibility - consensus call Zhen Cao
- Re: [IPsec] Traffic visibility - consensus call Venkatesh Sriram
- Re: [IPsec] Traffic visibility - consensus call Scott C Moonen
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Dragan Grebovich
- Re: [IPsec] Traffic visibility - consensus call Russ Housley
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Paul Hoffman
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Paul Hoffman
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- [IPsec] What problem are we REALLY trying to solv… Dan McDonald
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Scott C Moonen
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Paul Koning
- Re: [IPsec] Traffic visibility - consensus call Bill Sommerfeld
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Nicolas Williams
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- [IPsec] Traffic visibility - consensus call Sanchez, Mauricio (ProCurve)
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Joy Latten
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Charlie Kaufman
- Re: [IPsec] Traffic visibility - consensus call Yoav Nir
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Daniel Migault
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- [IPsec] Traffic visibility - what are the assumpt… Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Yaron Sheffer
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent
- Re: [IPsec] Traffic visibility - consensus call Jack Kohn
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Joseph Tardo
- Re: [IPsec] Traffic visibility - consensus call Tero Kivinen
- Re: [IPsec] Traffic visibility - consensus call Tero Kivinen
- Re: [IPsec] Traffic visibility - consensus call Nicolas Williams
- Re: [IPsec] Traffic visibility - consensus call Brian Swander
- Re: [IPsec] Traffic visibility - consensus call Min Huang
- Re: [IPsec] Traffic visibility - consensus call Pasi.Eronen
- Re: [IPsec] Traffic visibility - consensus call Bhatia, Manav (Manav)
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Bhatia, Manav (Manav)
- Re: [IPsec] Traffic visibility - consensus call Dan Harkins
- Re: [IPsec] Traffic visibility - consensus call Grewal, Ken
- Re: [IPsec] Traffic visibility - consensus call Stephen Kent