Technical Summary
This document describes the Wrapped Encapsulating Security Payload
(WESP) protocol, which is based on the Encapsulating Security
Payload (ESP) protocol and is designed to allow intermediate
devices to ascertain if ESP with null encryption is being employed
and if so, inspect the IPsec packets for network monitoring and
access control functions. The mechanism described in this document
can be used to easily disambiguate ESP-NULL from encrypted ESP
packets, without compromising on the security provided by ESP.
Working Group Summary
Early on there was prolonged WG discussion about the relative
merits of the Wrapped ESP solution for identifying ESP-null
traffic, compared to heuristic methods for traffic
inspection. Eventually the WG reached consensus on the usefulness
of having both solutions published, with the heuristics solution
targeted for the interim period until WESP is widely deployed. This
consensus is documented in both protocol documents.
IESG review also lead to clarifying the protocol's extensibility
model: if there is consensus in the future to extend the protocol,
those extensions need a new WESP version number, and have to be
negotiated by the endpoints. This simplified the protocol by,
for example, keeping the ICV coverage unchanged from ESP.
Document Quality
Currently, there are no known implementations. However, a number of
vendors have expressed interest and supported this activity.
Personnel
The document shepherd is Yaron Sheffer, and the responsible
area director is Pasi Eronen.