Re: [Ipsec] I-D Action:draft-hoffman-esp-null-protocol-00.txt

Scott C Moonen <smoonen@us.ibm.com> Mon, 27 August 2007 14:57 UTC

Return-path: <ipsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IPg1r-0004Vx-Sw; Mon, 27 Aug 2007 10:57:23 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IPg1q-0004Vl-71 for ipsec@ietf.org; Mon, 27 Aug 2007 10:57:22 -0400
Received: from e36.co.us.ibm.com ([32.97.110.154]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IPg1o-00032i-Ls for ipsec@ietf.org; Mon, 27 Aug 2007 10:57:22 -0400
Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com [9.17.195.227]) by e36.co.us.ibm.com (8.13.8/8.13.8) with ESMTP id l7REuxeY017032 for <ipsec@ietf.org>; Mon, 27 Aug 2007 10:56:59 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v8.5) with ESMTP id l7REteWH226020 for <ipsec@ietf.org>; Mon, 27 Aug 2007 08:55:43 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l7REtcs8023401 for <ipsec@ietf.org>; Mon, 27 Aug 2007 08:55:38 -0600
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av01.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id l7REtcd6023354 for <ipsec@ietf.org>; Mon, 27 Aug 2007 08:55:38 -0600
In-Reply-To: <p06240505c2f88cb53df3@[128.89.89.71]>
To: IPsec WG <ipsec@ietf.org>
MIME-Version: 1.0
Subject: Re: [Ipsec] I-D Action:draft-hoffman-esp-null-protocol-00.txt
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
From: Scott C Moonen <smoonen@us.ibm.com>
X-MIMETrack: S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 7.0 HF277|June 21, 2006) at 08/27/2007 10:55:25 AM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 7.0 HF277|June 21, 2006) at 08/27/2007 10:55:25 AM, Serialize complete at 08/27/2007 10:55:25 AM, Itemize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 7.0 HF277|June 21, 2006) at 08/27/2007 10:55:25 AM, S/MIME Sign complete at 08/27/2007 10:55:25 AM, S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 7.0 HF277|June 21, 2006) at 08/27/2007 10:55:35 AM, S/MIME Sign complete at 08/27/2007 10:55:35 AM, Serialize by Router on D03NM118/03/M/IBM(Release 8.0|August 02, 2007) at 08/27/2007 08:55:38, Serialize complete at 08/27/2007 08:55:38
Message-ID: <OFDDF3910B.F82A0C50-ON85257344.004F87B8-85257344.0051FE5C@us.ibm.com>
Date: Mon, 27 Aug 2007 08:55:36 -0600
X-Spam-Score: -4.0 (----)
X-Scan-Signature: a4cdc653ecdd96665f2aa1c1af034c9e
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1628438102=="
Errors-To: ipsec-bounces@ietf.org

Would you consider instead reserving a certain range of ESP SPI values for 
this use?  This would avoid consuming two additional protocols, and would 
localize the solution to the SA management architecture (manual 
configuration or IKE) without any need for TCP/IP changes or even any 
changes to the IKE proposals sent.  The downside of course is that 
existing implementations will fail to honor this, but environments that 
need this behavior will require updated implementations regardless of the 
approach chosen.

It also occurs to me that we could define IP options that asserted NULL 
ESP, although that seems less elegant and efficient.


Scott Moonen (smoonen@us.ibm.com)
http://www.linkedin.com/in/smoonen



Stephen Kent <kent@bbn.com> 
08/27/2007 10:16 AM

To
Paul Hoffman <paul.hoffman@vpnc.org>
cc
IPsec WG <ipsec@ietf.org>
Subject
Re: [Ipsec] Fwd: I-D Action:draft-hoffman-esp-null-protocol-00.txt






At 6:57 PM -0700 8/24/07, Paul Hoffman wrote:
>Greetings again. David McGrew and I have put together a proposal 
>that should help end the ESP NULL vs. AH debate. In that debate, the 
>primary argument for AH is "packet-inspecting firewalls don't know 
>whether or not to look inside an ESP packet". With this proposal, 
>they will know better.
>
>Please let us know what you think.

Paul,

This should work. The only question is whether the community is 
willing to consume two protocol numbers to address the problem.

Steve

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec