On Tue, 14 Nov 2017, S Moonesamy wrote:
Sorry for not being clear. The draft states that "NULL Authentication with IPsec" has been implemented and deployed. Given that it is a practice, is it a good idea?
The deployments I'm aware of with mesh encryption using IPsec did try to keep some kind of network based monitoring/filtering in place, but in the end concluded enterprise wide mesh encryption is more important, and the rules of the network monitoring/firewalls can be pushed to the endnodes using the usual sync methods (puppet, ansible, new gold image container, etc). I dont think the IETF should try to answer whether it is a good idea or not. There was a need for this, and we enabled the protocol to perform this optional function. Paul