IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

RJ Atkinson <rja.lists@gmail.com> Tue, 03 January 2012 00:45 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC67B21F852F for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIEBgweuJ-MX for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3997521F852D for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
Received: by qadz3 with SMTP id z3so10371025qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 16:45:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=gEecggv4O/Vw3CeLEx+AqWRvzNfFGhBJTrC9Hx2Tn54=; b=qUK4hRq+rXG+bqWc4Cjz5AgpIWV7fKdJBLbLZp5shOHb94dkc1qd7V96J7+Qd0vSHp zZ2dMsTVQ+geZmxat2HULNx5lE10ldxqvHMjy39NAjIJn2U1/zEv2DYfS9DLtVB8FUTA WrAe7Nxqu9wbRIBEh4mng9Ss3MeTPV8Y6lkVM=
Received: by 10.224.106.5 with SMTP id v5mr59315155qao.74.1325551551716; Mon, 02 Jan 2012 16:45:51 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id cf18sm45164208qab.9.2012.01.02.16.45.50 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 16:45:51 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
Date: Mon, 02 Jan 2012 19:45:49 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <31DFE5C9-2DE0-4A1B-A216-AE8F47E75109@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:45:52 -0000

On 02  Jan 2012, at 19:28 , Nico Williams wrote:
> On Mon, Jan 2, 2012 at 3:11 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
>> I gave a list earlier of a number of different scenarios where
>> and reasons why AH is used.  A subset of that list:
>>        - ESP null does not protect options/optional headers.
> 
> ESP in tunnel mode is supposed to be the replacement for AH,
> and gets you this.

Sadly, it cannot do so.  

Tunnel-mode isn't especially helpful here -- particularly 
for options or optional headers that are intended to be 
read/seen and their contents considered when forwarding 
transit IP packets.

In IPv4, ESP can't protect any IPv4 options, because the
ESP header always follows the IPv4 options.

In IPv6, there are also problems.  For example, if one has 
a Routing Header or Hop-by-Hop header then that would come 
BEFORE the ESP header -- precisely so that applicable routers 
or other middle boxes can see those headers in order to use 
their information during transit packet processing.  

>>        - ESP null cannot reliably be parsed past.
> 
> WESP is supposed to provide this.

Sadly, at present there is still no 100% reliable
method for parsing past an ESP header with NULL encryption.
There are various documents describing methods which
have various success probabilities, but none that is
100% reliable.

> Would tunnel mode be too expensive for new protocols that need
> integrity protection of outer headers?

As noted above, tunnel-mode would not solve the 
technical problem.

> In any case, if there's no way to remove AH support from existing
> implementations any time soon, then there's not much benefit to moving
> AH to Historic either.  And it's clear that the controversy that has
> arisen will take a fair bit of energy to resolve.  It may be best to
> simply publish an Informational RFC providing advice on what new
> protocols that say "use IPsec" should do.

We disagree on that.  Existing IPsec RFCs are clear enough.
If folks aren't going to read those, then they are not likely
to read any new Informational RFC either.  

Dan Harkins' analysis was spot-on, IMHO.

Yours,

Ran

v2.23.0 | Report a Bug | By Email