ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heu

Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heuristics-01

From: Yoav Nir <ynir_at_nospam>
Date: Tue Sep 22 2009 - 12:20:14 GMT
To: Yaron Sheffer <yaronf@checkpoint.com>

I support advancing this document, and I think the explanations and pseudo code are good.

I do, however, question the value of it in real life.

Security policies or the deep inspection kind usually are something like:

  • allow HTTP and HTTPS, and verify headers
  • allow ICMP and DNS
  • maybe some more allowed protocols
  • drop everything else

I'm sure anything enforcing a policy like this will anyway drop ESP- non-null, because it doesn't look like one of those allowed protocols. However, YMMV so I support publishing this draft.

On Sep 17, 2009, at 11:28 PM, Yaron Sheffer wrote:

> This is to begin a 2 week working group last call for draft-ietf-
> ipsecme-esp-null-heuristics-01. The target status for this document
> is Informational.
> Please send your comments to the ipsec list by Oct. 1, 2009, as
> follow-ups to this message.
> Note that this document has had very little review until now. We
> will only progress it as a WG document if we have at least 3 non-
> editor, non-WG chair reviewers who have read it and approve of it.
> And yes, this means the pseudocode, too. There has been strong
> support of ESP-null detection, so this document is likely to be
> widely implemented. Your review will mean a lot to the technical
> quality of this document.
> Please clearly indicate the position of any issue in the Internet
> Draft, and if possible provide alternative text. Please also
> indicate the nature or severity of the error or correction, e.g.
> major technical, minor technical, nit, so that we can quickly judge
> the extent of problems with the document.
> The document can be accessed here:
> http://tools.ietf.org/html/draft-ietf-ipsecme-esp-null-heuristics-01
> Thanks,
> Yaron

IPsec mailing list