Re: [IPsec] WESP - Roadmap Ahead

Gregory Lebovitz <gregory.ietf@gmail.com> Tue, 17 November 2009 19:19 UTC

Return-Path: <gregory.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DF383A69EC for <ipsec@core3.amsl.com>; Tue, 17 Nov 2009 11:19:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKDmP86v7LTU for <ipsec@core3.amsl.com>; Tue, 17 Nov 2009 11:19:45 -0800 (PST)
Received: from mail-fx0-f215.google.com (mail-fx0-f215.google.com [209.85.220.215]) by core3.amsl.com (Postfix) with ESMTP id BCAB43A6939 for <ipsec@ietf.org>; Tue, 17 Nov 2009 11:19:44 -0800 (PST)
Received: by fxm7 with SMTP id 7so347634fxm.29 for <ipsec@ietf.org>; Tue, 17 Nov 2009 11:19:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=EEc5fZb4yOfzen4yeagT72obHdh178GEuQx7irMEnw0=; b=ek7qFTQ/bnVong8EbKFMYZ34hfJ4MmqCucfw+v8rEwyq9yykvcDyNijlAEkwkwolbG B68d1mi63kzkTa9WscieRyZEExkt6WMBbL3WM3Fi3zDmX7Gpia42PM7ihMp4i+2o7CJz wEx3Vh0+sdPuJ76o3JEx5W9k+ommjVwVC5/1Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=updsNt9n5TyP6lfhbrwPVW8EAP2Eg1UXMYouRH50JSy5fklOgHzuY7LiaAj6IQytMa 64kUepTVxg4wOQm1uk68G/p+QebuOcUH7cgCeJ/7Y73pHBTshe/kh//7amDZksVodZmo 5IHJOTQB2fvfnYuXRMRJ2lQU7WSh2eyU+AqS4=
MIME-Version: 1.0
Received: by 10.86.204.9 with SMTP id b9mr433001fgg.7.1258485576090; Tue, 17 Nov 2009 11:19:36 -0800 (PST)
In-Reply-To: <p06240800c723d673384e@10.11.1.91>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <p0624080ac7212e67c860@133.93.16.246> <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com> <p0624080ec7213743dc05@133.93.16.246> <dc8fd0140911112030y46aa24f9hf3715d57446e96c0@mail.gmail.com> <51eafbcb0911112144u6e25b826w4ec8110d1f73e652@mail.gmail.com> <p06240805c72267851254@133.93.16.246> <p06240825c7229aead977@133.93.16.246> <B71940AB-C732-4240-98CB-75E8C6AAF815@cs.columbia.edu> <p06240800c723d673384e@10.11.1.91>
Date: Tue, 17 Nov 2009 11:19:36 -0800
Message-ID: <f1548840911171119w334475aenabc3fb225c74536@mail.gmail.com>
From: Gregory Lebovitz <gregory.ietf@gmail.com>
To: Jack Kohn <kohn.jack@gmail.com>
Content-Type: multipart/alternative; boundary=001485ea7db1b7c6f40478960193
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Bhatia, Manav \(Manav\)" <manav.bhatia@alcatel-lucent.com>, Stephen Kent <kent@bbn.com>, Steven Bellovin <smb@cs.columbia.edu>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 19:19:46 -0000

inline...

On Mon, Nov 16, 2009 at 8:39 AM, Stephen Kent <kent@bbn.com>; wrote:

--snip--


> I am not suggesting that any aspect of your analysis is flawed. I am
> suggesting that before the WG chooses to further deprecate AH, it needs to
> document the analysis supporting this decision, not just cite a couple of
> examples and make general statements in support of such an action.
>

WESP implementations need to occur, be deployed, and have some time in
operational networks. It would benefit the standards process to get some
feedback from the operational community once this has happened. Whether or
not we call it "experimental", we need to try out the WESP mechanism, in
parallel with the heuristics method, in the wild and see what comes of
them.

We need not be shy about WESP's existence and benefits. I agree we ought to
go on a bit of an intra-IETF "road show" and get the word to other Areas and
WG's about WESP as compared to AH, and see what feedback we get. This can
only help the standards process. In this context, Steve's suggestion for a
an analysis document would be very helpful. Much of the arguments made in
this thread would be excellently housed in said document.

After some time in the wild, If we observe signs that WESP is operationally
replacing AH, then we could seriously discuss deprecating AH.

HTH,
Gregory.


>
> Steve
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>



-- 
----
IETF related email from
Gregory M. Lebovitz
Juniper Networks