Re: [IPsec] Avoiding Authentication Header (AH)
RJ Atkinson <rja.lists@gmail.com> Mon, 02 January 2012 14:34 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA9A321F84ED for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 06:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQJAH1Z1bbYc for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 06:34:26 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id E671A21F84DD for <ipsec@ietf.org>; Mon, 2 Jan 2012 06:34:25 -0800 (PST)
Received: by qadb15 with SMTP id b15so9103334qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 06:34:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version:x-mailer; bh=EA3oI1odZmGvfSu4PqGE3dAJ6WiU8/b/IC+GpaS5K1o=; b=hQc+TBm7Aiag9qd52j//nfdSU0H5ecy59tbTQfFZwxBs6yeIbi9jlc9ze9Qv3ok0mo okGT9Q6z9Y14ZuiZ9bBtAXzF3K97DxzQO5dc7s2PClL4SCNpt3fD40vRz/SeyIFW/y0n 7C9zf2gz/X0zKmIweoc/jYlX2C/ngR5xyui0E=
Received: by 10.224.193.7 with SMTP id ds7mr15623617qab.66.1325514864240; Mon, 02 Jan 2012 06:34:24 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id ev2sm45180455qab.15.2012.01.02.06.34.22 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 06:34:23 -0800 (PST)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Mon, 02 Jan 2012 09:34:21 -0500
To: IPsec ME WG List <ipsec@ietf.org>
Message-Id: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
Mime-Version: 1.0 (Apple Message framework v1251.1)
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 14:34:27 -0000
Folks, I mostly entirely agree with Michael Richardson's analysis at the URL just below, namely that AH continues to have utility -- but that utility is not VPN deployments. Michael Richardson's note: <http://www.ietf.org/mail-archive/web/ipsec/current/msg07363.html> HISTORY Important history is that both ESP and AH were originally products of the IPv6 Working Group. They moved into the IPsec WG because the IPsec WG had not made significant progress at that time (early 1990s). AH was created and exists primarily to enable authentication, including intermediate authentication, of IPv4 and IPv6 options, extension headers, and so forth. BACKGROUND & AVAILABILITY: Many modern silicon-based routers and firewalls, from multiple router vendors, can parse or parse-past options and optional headers at wire speed, so existence of an IP-layer option or extension does not today automatically push the IP packet on to what folks historically called the "slow path" for packet forwarding. This makes it much more practical to deploy IP options and IP optional headers now than in the past. Virtually all IPv6 hosts, and most IPv4 hosts, support AH in shipping product, and have done for ~15 years now. This includes both commercial products and open-source implementations. Most major IPv6 routers, for example multiple product lines from both Cisco and Juniper, also support AH in shipping product and have done for some while now. So AH remains a very widely available protocol. CURRENTLY DEPLOYED USES: While AH uses are limited today, just as the use of IP options/extensions are limited today, current active uses of AH in real-world deployments today include at least these -- built using commercial off-the-shelf products: - AH with IPv4 to authenticate sensitivity label options (e.g. FIPS-188, RFC-1108). - AH with IPv4 to prevent options-based attacks, primarily in certain high-threat environments. - AH with IPv6 to authenticate certain IPv6 extension headers and options, primarily in certain high-threat environments. - AH with IPv6 to prevent extension-header-based and options-based attacks, primarily in certain high-threat environments. - Many IPv6 deployments using OSPFv3 have enabled OSPFv3 protection using AH. Most router vendors, including (for example) multiple product lines from both Cisco and Juniper, shipped this capability long ago -- and this use of AH is both interoperable and widespread, largely within IPv6 enterprise deployments. OSPFv3 itself is largely deployed in enterprises today, as I/IS-IS is more popular with ISPs. [NOTE WELL: AH for OSPFv3 has NOT been deprecated, and remains on the IETF standards track. It is interesting, however, that author of this AH draft is trying to kill off the use of AH to protect routing information -- apparently because his employer does not offer this AH for OSPFv3 capability in its released products.] - Some IPv6 profiles, including the US Government profile for IPv6, require AH support either generally or in certain situations (example: to protect OSPFv3, to authenticate certain IP options or IP extension headers). This WG ought not make existing legitimate uses of AH invalid or not recommended. There is no available alternative for authenticating IP-layer options, extension headers, and so forth. AH is the only available way to do such authentication at present. FIREWALLS & MIDDLEBOXES: While this WG has produced some documents with guidance on how to approach parsing past an ESP header when NULL encryption is used, we still do not have a completely reliable way to parse past an ESP header when NULL encryption is used. By contrast, it is easy and quick to parse past an AH header -- either in the end system or in a firewall/router/middlebox. Several deployed firewall products in fact can and do parse past AH headers, either to perform deep packet inspection or simply to examine the transport protocol and port information. IETF PROCESS RULES: Last, on an IETF Process note, the IPsec WG Charter posted online is quite strict and is narrowly defined, with an enumerated list of allowed work items. To quote from the charter: "The scope of the WG is restricted to the work items listed above." Neither changes to AH status nor Applicability Statements for AH are listed in the WG Charter. So it is not obvious that this document is within the charter for the IPsec ME WG. If the IPsec ME WG Chairs believe this work is within charter, they ought to post a note to the IPsec ME WG mailing list citing the specific charter text authorising this topic. IPsec ME Charter: <http://datatracker.ietf.org/wg/ipsecme/charter/> A draft outside the Charter of an IETF WG ought not be developed by or within that WG. So I don't see how this document properly can be considered by this WG. Yours, Ran
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Venkatesh Sriram
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] WESP and reliability RJ Atkinson
- Re: [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] WESP and reliability Bhatia, Manav (Manav)
- Re: [IPsec] WESP and reliability Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Sean Turner
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Markku Savela
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Yoav Nir
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Panos Kampanakis