Re: [IPsec] Avoiding Authentication Header (AH)
RJ Atkinson <rja.lists@gmail.com> Tue, 03 January 2012 00:45 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC67B21F852F for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIEBgweuJ-MX for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3997521F852D for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:45:52 -0800 (PST)
Received: by qadz3 with SMTP id z3so10371025qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 16:45:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=gEecggv4O/Vw3CeLEx+AqWRvzNfFGhBJTrC9Hx2Tn54=; b=qUK4hRq+rXG+bqWc4Cjz5AgpIWV7fKdJBLbLZp5shOHb94dkc1qd7V96J7+Qd0vSHp zZ2dMsTVQ+geZmxat2HULNx5lE10ldxqvHMjy39NAjIJn2U1/zEv2DYfS9DLtVB8FUTA WrAe7Nxqu9wbRIBEh4mng9Ss3MeTPV8Y6lkVM=
Received: by 10.224.106.5 with SMTP id v5mr59315155qao.74.1325551551716; Mon, 02 Jan 2012 16:45:51 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id cf18sm45164208qab.9.2012.01.02.16.45.50 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 16:45:51 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
Date: Mon, 02 Jan 2012 19:45:49 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <31DFE5C9-2DE0-4A1B-A216-AE8F47E75109@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:45:52 -0000
On 02 Jan 2012, at 19:28 , Nico Williams wrote: > On Mon, Jan 2, 2012 at 3:11 PM, RJ Atkinson <rja.lists@gmail.com> wrote: >> I gave a list earlier of a number of different scenarios where >> and reasons why AH is used. A subset of that list: >> - ESP null does not protect options/optional headers. > > ESP in tunnel mode is supposed to be the replacement for AH, > and gets you this. Sadly, it cannot do so. Tunnel-mode isn't especially helpful here -- particularly for options or optional headers that are intended to be read/seen and their contents considered when forwarding transit IP packets. In IPv4, ESP can't protect any IPv4 options, because the ESP header always follows the IPv4 options. In IPv6, there are also problems. For example, if one has a Routing Header or Hop-by-Hop header then that would come BEFORE the ESP header -- precisely so that applicable routers or other middle boxes can see those headers in order to use their information during transit packet processing. >> - ESP null cannot reliably be parsed past. > > WESP is supposed to provide this. Sadly, at present there is still no 100% reliable method for parsing past an ESP header with NULL encryption. There are various documents describing methods which have various success probabilities, but none that is 100% reliable. > Would tunnel mode be too expensive for new protocols that need > integrity protection of outer headers? As noted above, tunnel-mode would not solve the technical problem. > In any case, if there's no way to remove AH support from existing > implementations any time soon, then there's not much benefit to moving > AH to Historic either. And it's clear that the controversy that has > arisen will take a fair bit of energy to resolve. It may be best to > simply publish an Informational RFC providing advice on what new > protocols that say "use IPsec" should do. We disagree on that. Existing IPsec RFCs are clear enough. If folks aren't going to read those, then they are not likely to read any new Informational RFC either. Dan Harkins' analysis was spot-on, IMHO. Yours, Ran
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Venkatesh Sriram
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] WESP and reliability RJ Atkinson
- Re: [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] WESP and reliability Bhatia, Manav (Manav)
- Re: [IPsec] WESP and reliability Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Sean Turner
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Markku Savela
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Yoav Nir
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Panos Kampanakis