Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: Tero Kivinen <kivinen at iki.fi>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: "Bhatia, Manav (Manav)" <manav at alcatel-lucent.com>
Date: Fri, 13 Feb 2009 18:52:04 +0530
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, "Grewal, Ken" <ken.grewal at intel.com>, Dragan Grebovich <dragan at nortel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <18837.25098.49974.508923 at fireball.kivinen.iki.fi>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D2202A3 at rrsmsx505.amr.corp.intel.com> <18834.48954.47580.62256 at fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8357901AFF1 at INBANSXCHMBSA1.in.alcatel-lucent.com> <18837.25098.49974.508923 at fireball.kivinen.iki.fi>
Thread-index: AcmN02U3j3N09pRrRfqJMba2W5QwUQACcv1g
Thread-topic: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

> > > Yes, but I do not really think people are going to solve 
> those using
> > > ESP-NULL. I think they must move to encrypted ESP to provide
> > > confidentiality also, and that makes the need for 
> ESP-NULL visibility
> > > even less.
> > 
> > I disagree. With AH as a MAY and ESP as MUST in IPSec, most vendors
> > will implement ESP (besides the problem of AH being NAT unfriendly).
> > All applications (OSPFv3, RIPng, etc), and there are many, which
> > don't care about confidentiality, but are only concerned with
> > authentication and integrity assurance, will continue using
> > ESP-NULL.  
> > 
> > Thus there is a need for ESP-NULL visibility. 
> 
> What kind of deep inspection you are doing on the OSPFv3 and RIPng in
> the middle boxes? I.e. why does middle boxes need to know anything
> about the actual data contents of those protocols?
> 
> You gave reasons why ESP-NULL is needed, not why ESP-NULL visibility
> is needed. 

One might want to filter OSPFv3 packets coming from outside the domain.

Then when you're the end node, you might want to prioritize some OSPF packets over the others. I understand that the latter is an implementation specific issue, but it helps if the underlying protocol is amenable for deep inspection.

Cheers, Manav

Follow-Ups:
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Bhatia, Manav (Manav)
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen

Prev by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by Date: Re: [IPsec] Question on RFC 4718 section 5.11.8. Collisions with IKE_SA Rekeying
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.