Thanks, Randy. I agree and am hoping other ways forward can be found. I put a similar blog up on RSA's site, but it gave a few reasons why IPsec might be an option within the data center for that use case, suggesting transport mode for a few reasons. The go forward could be something else, but it would be good for people to think about options until we have better logging at the end point applications and other measures to fill the gaps. I know opinions on this are all over the map, so we'll have to see what the community wants, but I'm hoping for more options. Best regards, Kathleen Sent from my iPhone > On Sep 23, 2017, at 1:28 AM, Randy Bush <randy@xxxxxxx> wrote: > > while the datacenter example is somewhat real, 95% of the iceberg is > under the water; vendors wanting to sell a lot of surveillance gear to, > not only enterprises, but repressive regimes. it is a big and very > dirty (peoole being dragged away in the middle of the night) business. > > please keep 1.3 as e2e secure as possible. > > randy