IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

RJ Atkinson <rja.lists@gmail.com> Mon, 02 January 2012 14:34 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA9A321F84ED for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 06:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQJAH1Z1bbYc for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 06:34:26 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id E671A21F84DD for <ipsec@ietf.org>; Mon, 2 Jan 2012 06:34:25 -0800 (PST)
Received: by qadb15 with SMTP id b15so9103334qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 06:34:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version:x-mailer; bh=EA3oI1odZmGvfSu4PqGE3dAJ6WiU8/b/IC+GpaS5K1o=; b=hQc+TBm7Aiag9qd52j//nfdSU0H5ecy59tbTQfFZwxBs6yeIbi9jlc9ze9Qv3ok0mo okGT9Q6z9Y14ZuiZ9bBtAXzF3K97DxzQO5dc7s2PClL4SCNpt3fD40vRz/SeyIFW/y0n 7C9zf2gz/X0zKmIweoc/jYlX2C/ngR5xyui0E=
Received: by 10.224.193.7 with SMTP id ds7mr15623617qab.66.1325514864240; Mon, 02 Jan 2012 06:34:24 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id ev2sm45180455qab.15.2012.01.02.06.34.22 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 06:34:23 -0800 (PST)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Mon, 02 Jan 2012 09:34:21 -0500
To: IPsec ME WG List <ipsec@ietf.org>
Message-Id: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
Mime-Version: 1.0 (Apple Message framework v1251.1)
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 14:34:27 -0000

Folks,

I mostly entirely agree with Michael Richardson's
analysis at the URL just below, namely that AH continues
to have utility -- but that utility is not VPN deployments.

Michael Richardson's note:
	<http://www.ietf.org/mail-archive/web/ipsec/current/msg07363.html>


HISTORY

Important history is that both ESP and AH were originally
products of the IPv6 Working Group.  They moved into the
IPsec WG because the IPsec WG had not made significant
progress at that time (early 1990s).

AH was created and exists primarily to enable authentication, 
including intermediate authentication, of IPv4 and IPv6 
options, extension headers, and so forth.  



BACKGROUND & AVAILABILITY:

Many modern silicon-based routers and firewalls, from multiple 
router vendors, can parse or parse-past options and optional 
headers at wire speed, so existence of an IP-layer option or 
extension does not today automatically push the IP packet 
on to what folks historically called the "slow path" for 
packet forwarding.  This makes it much more practical to
deploy IP options and IP optional headers now than in the
past.

Virtually all IPv6 hosts, and most IPv4 hosts, support AH 
in shipping product, and have done for ~15 years now.  This 
includes both commercial products and open-source implementations.  
Most major IPv6 routers, for example multiple product lines 
from both Cisco and Juniper, also support AH in shipping 
product and have done for some while now.  So AH remains 
a very widely available protocol.



CURRENTLY DEPLOYED USES:

While AH uses are limited today, just as the use of
IP options/extensions are limited today, current active 
uses of AH in real-world deployments today include at least
these -- built using commercial off-the-shelf products:

	- AH with IPv4 to authenticate sensitivity label 
	  options (e.g. FIPS-188, RFC-1108).

	- AH with IPv4 to prevent options-based attacks,
	  primarily in certain high-threat environments.

	- AH with IPv6 to authenticate certain IPv6
	  extension headers and options, primarily in
	  certain high-threat environments.

	- AH with IPv6 to prevent extension-header-based
	  and options-based attacks, primarily in certain
	  high-threat environments.

	- Many IPv6 deployments using OSPFv3 have enabled
	  OSPFv3 protection using AH.  Most router vendors,
	  including (for example) multiple product lines 
	  from both Cisco and Juniper, shipped this capability 
	  long ago -- and this use of AH is both interoperable 
	  and widespread, largely within IPv6 enterprise
	  deployments.  OSPFv3 itself is largely deployed in
	  enterprises today, as I/IS-IS is more popular with
	  ISPs.

	  [NOTE WELL:  AH for OSPFv3 has NOT been deprecated, and
	  remains on the IETF standards track.  It is interesting,
	  however, that author of this AH draft is trying to kill 
	  off the use of AH to protect routing information -- 
	  apparently because his employer does not offer this 
	  AH for OSPFv3 capability in its released products.]

	- Some IPv6 profiles, including the US Government
	  profile for IPv6, require AH support either generally
	  or in certain situations (example: to protect OSPFv3,
	  to authenticate certain IP options or IP extension
	  headers).

This WG ought not make existing legitimate uses of AH
invalid or not recommended.  There is no available alternative
for authenticating IP-layer options, extension headers,
and so forth.  AH is the only available way to do such
authentication at present.


FIREWALLS & MIDDLEBOXES:

While this WG has produced some documents with guidance
on how to approach parsing past an ESP header when NULL
encryption is used, we still do not have a completely
reliable way to parse past an ESP header when NULL 
encryption is used.  

By contrast, it is easy and quick to parse past an AH header 
-- either in the end system or in a firewall/router/middlebox.  
Several deployed firewall products in fact can and do 
parse past AH headers, either to perform deep packet inspection 
or simply to examine the transport protocol and port information.  


IETF PROCESS RULES:

Last, on an IETF Process note, the IPsec WG Charter posted
online is quite strict and is narrowly defined, with an
enumerated list of allowed work items.  To quote from
the charter:

	"The scope of the WG is restricted to the 
	work items listed above."

Neither changes to AH status nor Applicability Statements
for AH are listed in the WG Charter.

So it is not obvious that this document is within the charter 
for the IPsec ME WG.  

If the IPsec ME WG Chairs believe this work is within charter, 
they ought to post a note to the IPsec ME WG mailing list
citing the specific charter text authorising this topic.

IPsec ME Charter:
	<http://datatracker.ietf.org/wg/ipsecme/charter/>

A draft outside the Charter of an IETF WG ought not
be developed by or within that WG.  So I don't see 
how this document properly can be considered by this WG.


Yours,

Ran

v2.23.0 | Report a Bug | By Email