IETF Logo Mail Archive

Re: [IPsec] WESP - Roadmap Ahead

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Thu, 12 November 2009 04:09 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80F7E3A689C for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 20:09:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.404
X-Spam-Level:
X-Spam-Status: No, score=-2.404 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fC9lAc+H20Lw for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 20:09:05 -0800 (PST)
Received: from hoemail2.alcatel.com (hoemail2.alcatel.com [192.160.6.149]) by core3.amsl.com (Postfix) with ESMTP id 950AE3A6875 for <ipsec@ietf.org>; Wed, 11 Nov 2009 20:09:05 -0800 (PST)
Received: from horh1.usa.alcatel.com (h172-22-218-55.lucent.com [172.22.218.55]) by hoemail2.alcatel.com (8.13.8/IER-o) with ESMTP id nAC49Ruk005296; Wed, 11 Nov 2009 22:09:27 -0600 (CST)
Received: from mail.apac.alcatel-lucent.com (h202-65-2-130.alcatel.com [202.65.2.130]) by horh1.usa.alcatel.com (8.13.8/emsr) with ESMTP id nAC49QJ5024851; Wed, 11 Nov 2009 22:09:27 -0600 (CST)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by mail.apac.alcatel-lucent.com (8.13.7/8.13.7/Alcanet1.0) with ESMTP id nAC47xt9007781; Thu, 12 Nov 2009 12:07:59 +0800
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Thu, 12 Nov 2009 09:39:24 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Merike Kaeo <merike@doubleshotsecurity.com>, Stephen Kent <kent@bbn.com>
Date: Thu, 12 Nov 2009 09:39:23 +0530
Thread-Topic: [IPsec] WESP - Roadmap Ahead
Thread-Index: AcpjSx3m4qrpp3CyTxOP25K11Lm9xwAAnMMg
Message-ID: <7C362EEF9C7896468B36C9B79200D8350A681DDBF7@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <p06240800c720d4538dd2@[133.93.112.234]> <7C362EEF9C7896468B36C9B79200D8350A681DDBDB@INBANSXCHMBSA1.in.alcatel-luce nt.com> <p0624080ac7212e67c860@[133.93.16.246]> <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com>
In-Reply-To: <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 172.22.12.28
X-Scanned-By: MIMEDefang 2.64 on 202.65.2.130
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 04:09:06 -0000

> 
> All of the standards I've seen that explicitly define how 
> IPsec is to  
> be used for authentication (including RFC 4552 - Authentication/ 
> Confidentiality for OSPFv3) say that for authentication 
> ESP-Null MUST  
> be used and AH MAY.

In fact there was some discussion of using IPSec for OSPFv2 authentication, and that proposal too uses ESP as a MUST and AH as a MAY.

http://tools.ietf.org/html/draft-gupta-ospf-ospfv2-sec-01

Cheers, Manav

> 
> Which RFCs specify AH specifically as a MUST for authentication/ 
> integrity?
> 
> Now on the flip side, in practical implementations, most vendors I  
> know of started off with AH being used for OSPFv3 and I doubt in  
> practice people are using ESP-Null.  Would love to be wrong here :)
> 
> - merike
> 
> On Nov 11, 2009, at 7:28 PM, Stephen Kent wrote:
> 
> > At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:
> >> Steve,
> >>
> >>>  I would have no problem deprecating AH in the context of 
> the IPsec
> >>>  architecture document, if others agree. It is less 
> efficient  than
> >>>  ESP-NULL. However, other WGs have cited AH as the IPsec 
> protocol of
> >>>  choice for integrity/authentication in their 
> environments, so there
> >>>  will be a need to coordinate with them, and it may be  
> >>> unacceptable to
> >>>  kill AH as a standalone protocol for them.
> >>
> >> I agree that it is a trifle too early to start deprecating AH,  
> >> though I wouldn't mind doing so. OTOH, don't most WGs already  
> >> suggest AH as a MAY, and ESP-NULL as a MUST?
> >
> > Not always. For example, I believe that OSPF security makes use of  
> > AH, outside the IPsec context.
> >
> >> In any case what should be the stand for the newer work 
> that comes  
> >> out of these WGs. Should they spell out support for AH, or should  
> >> they just be talking about ESP (or ESP-NULL or WESP)?
> >
> > I'd recommend ESP-NULL, unless the context on which the operate  
> > might require inspection by an intermediate system.
> >
> >> If we want to deprecate AH, or at least discourage its use in the  
> >> context of the IPSec architecture in the near future then  
> >> shouldn't we be working on this?
> >
> > Part of the problem is that some WGs want to make use of IPsec  
> > protocols outside of the IPsec architecture.
> >
> >>  > I am not comfortable with the notion of ESP with WESP.  
> WESP adds
> >>  > more per-packet overhead than ESP, and some users are very  
> >> sensitive
> >>>  to this aspect of IPsec use. Also, other WG rely on ESP and we  
> >>> would
> >>>  need to convince them that the packet inspection features of WESP
> >>>  merit making changes to their standards, which might be a tough  
> >>> sell.
> >>
> >> I agree. However, we should start socializing WESP in 
> other WGs so  
> >> that folks are at least aware of it.
> >
> > Agree.
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
> 
>

v2.23.0 | Report a Bug | By Email