Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: gabriel montenegro <g_e_montenegro at yahoo.com>, Tero Kivinen <kivinen at iki.fi>, "Grewal, Ken" <ken.grewal at intel.com>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 10 Feb 2009 21:51:31 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, Dragan Grebovich <dragan at nortel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <27014.28749.qm at web82605.mail.mud.yahoo.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi>, <27014.28749.qm at web82605.mail.mud.yahoo.com>
Thread-index: AcmLtBkaaAcjn1BDRc+uWLeknCrm0QABN9oI
Thread-topic: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

gabriel montenegro wrote:

>I'll just comment on one item below:
>
>> As the draft says this is mostly meant for stateful devices, and that
>> has been the main goal for the document. The charter says:
>>
>> "A standards-track mechanism that allows an intermediary device, such
>> as a firewall or intrusion detection system ..."
>>
>> I.e. the main goal was set to be on the devices doing deeper
>> inspection i.e. firewalls and intrusion detection systems.
>
>Disagree completely. The charter item is a general one for intermediary devices
>(some of which are and are expected to continue being stateless).
>
>The above was just an example.

OK, so give us a counter-example. Why would a stateless device want to be able to tell the difference between ESP-AES-CBC and ESP-NULL.  What policy is it trying to enforce?




Email secured by Check Point

Follow-Ups:
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: gabriel montenegro

Prev by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.