Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: "Bhatia, Manav (Manav)" <manav at alcatel-lucent.com>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: Tero Kivinen <kivinen at iki.fi>
Date: Fri, 13 Feb 2009 14:05:30 +0200
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, "Grewal, Ken" <ken.grewal at intel.com>, Dragan Grebovich <dragan at nortel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <7C362EEF9C7896468B36C9B79200D8357901AFF1 at INBANSXCHMBSA1.in.alcatel-lucent.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D2202A3 at rrsmsx505.amr.corp.intel.com> <18834.48954.47580.62256 at fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8357901AFF1 at INBANSXCHMBSA1.in.alcatel-lucent.com>

Bhatia, Manav (Manav) writes:
> > 
> > > BTW, insider threats are on the rise according to various public
> > > reports, so should not be discounted. This is one of the motivations
> > > of employing security, even within the Enterprise.
> > 
> > Yes, but I do not really think people are going to solve those using
> > ESP-NULL. I think they must move to encrypted ESP to provide
> > confidentiality also, and that makes the need for ESP-NULL visibility
> > even less.
> 
> I disagree. With AH as a MAY and ESP as MUST in IPSec, most vendors
> will implement ESP (besides the problem of AH being NAT unfriendly).
> All applications (OSPFv3, RIPng, etc), and there are many, which
> don't care about confidentiality, but are only concerned with
> authentication and integrity assurance, will continue using
> ESP-NULL.  
> 
> Thus there is a need for ESP-NULL visibility. 

What kind of deep inspection you are doing on the OSPFv3 and RIPng in
the middle boxes? I.e. why does middle boxes need to know anything
about the actual data contents of those protocols?

You gave reasons why ESP-NULL is needed, not why ESP-NULL visibility
is needed. 
-- 
kivinen at iki.fi

Follow-Ups:
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Bhatia, Manav (Manav)

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Bhatia, Manav (Manav)

Prev by Date: [IPsec] Is an empty CertRequest payload valid in IKEv2?
Next by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.