IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Sean Turner <turners@ieca.com> Thu, 05 January 2012 03:31 UTC

Return-Path: <turners@ieca.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6869211E808C for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 19:31:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sul8i1L6Xc+R for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 19:31:14 -0800 (PST)
Received: from gateway15.websitewelcome.com (gateway15.websitewelcome.com [67.18.82.10]) by ietfa.amsl.com (Postfix) with ESMTP id ED0A611E8080 for <ipsec@ietf.org>; Wed, 4 Jan 2012 19:31:11 -0800 (PST)
Received: by gateway15.websitewelcome.com (Postfix, from userid 5007) id E4D14871FB6F5; Wed, 4 Jan 2012 21:31:09 -0600 (CST)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway15.websitewelcome.com (Postfix) with ESMTP id DAAA1871FB6D5 for <ipsec@ietf.org>; Wed, 4 Jan 2012 21:31:09 -0600 (CST)
Received: from [96.241.0.108] (port=39403 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1Rie2k-0000a1-6u; Wed, 04 Jan 2012 21:31:06 -0600
Message-ID: <4F05197A.9090505@ieca.com>
Date: Wed, 04 Jan 2012 22:31:06 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350D028A2953@INBANSXCHMBSA1.in.alcatel-lucent.com> <6442.1325686562@marajade.sandelman.ca> <7C362EEF9C7896468B36C9B79200D8350D028A2AE5@INBANSXCHMBSA1.in.alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D028A2AE5@INBANSXCHMBSA1.in.alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [96.241.0.108]:39403
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Nico Williams <nico@cryptonector.com>, "mcr@sandelman.ca" <mcr@sandelman.ca>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 03:31:16 -0000

Manav,

I'm trying to figure out whose implementation this situation will create 
a problem for?  If the new application or protocol ends up doing one of 
the 3 things you listed 
(http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html), then 
is the problem that those who haven't implemented AH now have to?

Are there any new applications or protocols that are mandating the use 
of AH?

Currently, I'm unconcerned about somebody sneaking a new protocol that 
mandates AH past the IETF because of this group.  This group certainly 
isn't made up of shrinking violets ;)

spt

On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
> Hi Marc,
>
> We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.
>
> This creates a problem for implementations if in future a new application or a protocol mandates the use of AH.
>
> I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.
>
> Cheers, Manav
>
> -----Original Message-----
> From: mcr@sandelman.ca [mailto:mcr@sandelman.ca]
> Sent: Wednesday, January 04, 2012 7:46 PM
> To: Bhatia, Manav (Manav)
> Cc: Nico Williams; ipsec@ietf.org
> Subject: Re: [IPsec] Avoiding Authentication Header (AH)
>
>
>>>>>> "Manav" == Manav Bhatia<Bhatia>  writes:
>      Manav>  Hi Nico,
>
>      >>  Advising (and updating said advice as circumstances change)
>      >>  use-IPsec protocol designers as to when to use ESP and/or AH is
>      >>  something we should do.  Deprecating AH seems like a nice idea,
>      >>  but if there's good reasons to still use it, then maybe not.
>
>      Manav>  We're not talking about deprecating or killing AH. I concede
>      Manav>  that I did allude to it in my first draft, but then changed
>      Manav>  the tone based on the WG feedback, to say that we should
>      Manav>  "avoid" AH wherever possible.
>
> This is the status quo already.
> Why do we need this draft?
>

v2.23.0 | Report a Bug | By Email