IETF Logo Mail Archive

Re: [IPsec] draft-bhatia-moving-ah-to-historic

Yoav Nir <ynir@checkpoint.com> Mon, 16 April 2012 11:27 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DE021F8627 for <ipsec@ietfa.amsl.com>; Mon, 16 Apr 2012 04:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.577
X-Spam-Level:
X-Spam-Status: No, score=-10.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLnuwM2rcUis for <ipsec@ietfa.amsl.com>; Mon, 16 Apr 2012 04:27:16 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 92F3121F862B for <ipsec@ietf.org>; Mon, 16 Apr 2012 04:27:15 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q3GBR6OQ011109; Mon, 16 Apr 2012 14:27:07 +0300
X-CheckPoint: {4F8C0F04-1-1B221DC2-5FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 16 Apr 2012 14:26:02 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Mon, 16 Apr 2012 14:25:48 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Nick Hilliard <nick@inex.ie>
Date: Mon, 16 Apr 2012 14:25:51 +0300
Thread-Topic: [IPsec] draft-bhatia-moving-ah-to-historic
Thread-Index: Ac0bw6u3d6u5ZJURT6WNxQjCVYnAVg==
Message-ID: <5C94A95E-D36E-4474-8D17-0E17E2493E0F@checkpoint.com>
References: <4F8BFA0E.4080006@inex.ie>
In-Reply-To: <4F8BFA0E.4080006@inex.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11551fa8adde2c5c39ff1d036ff2fda62509a514b1
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] draft-bhatia-moving-ah-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 11:27:16 -0000

On Apr 16, 2012, at 1:53 PM, Nick Hilliard wrote:

> I'd like to add a voice of support to this draft.  AH adds little except
> complication to ipsec implementations and confusion to end users.

It only adds confusion and complication in the sense that telnet adds them (ESP is SSH in this analogy). If you don't implement it you and your users don't get confused. Besides, the end users of IPsec who actually have to know what ESP is vs what AH is are very sophisticated. They're not the people who simply press "Connect" on their L2TP or VPN clients.

> Regarding ipv4 NATs, they are ubiquitous and will become more so once ipv4
> scarcity is realised worldwide (particularly in asia, which is currently
> the fastest growing global region, and has already reached RIR exhaustion).

Maybe, maybe not. As ISPs move large blocks of users to a combination of IPv6 and CGN, blocks of IPv4 address space may be freed up. But regardless, NAT *is* going to be with us for a while, even in IPv6.

> There was a previous comment about this draft about the NAT/AH issue being
> a NAT problem rather than an AH problem.  Well, yeah, in the purest sense
> this is true, but we live in the real world and need to work within its
> limitations.  You can apply fixups and ALGs to lots of protocols which are
> NAT sensitive, but AH is cryptographically incompatible with NAT and this
> cannot be fixed.

Nothing's stopping you from proposing 4302bis, which will be compatible with NATs. There just isn't much demand for changing AH like that.

> I see little value in the IETF formally supporting a protocol which simply
> cannot work for most end-users on the basis of the access addressing
> provided.  Formal deprecation / designation to historic status is
> appropriate in this case.

Formal deprecation is pretty much meaningless. Consider this example:
Suppose the TICTOC working group decide that they need packet authentication for time signals, but not encryption. (makes sense, as they only deliver the time of day). They can go with either AH or ESP-Null. They also don't care about NAT, because NATs introduce so much jitter, that they'll ruin the accuracy of PTP, so PTP does not go through NAT anyway. They also first construct the IPsec packet, then paste the timestamp where it's needed, and quickly calculate the hash. If they can do this with less jitter with AH than with ESP, do you think they'll actually care whether they're using a "current" or "historic" standard?  They'll just use whatever gets the job done better.

Even "historic" does not mean everyone has to stop using it, even in new standards. It just means that you have to have a really good justification why you need that rather than ESP. That's the situation already. Declaring it so doesn't help.

> Also +1 to the following arguments:
> 
> - ESP + NULL == substantially equivalent
> - less mailing list chatter

Well, this draft generated a 77-post thread. Then the mailing list got quiet about it, and we had three months without any mention of AH. I think moving it to historic creates a lot more mailing list chatter than ignoring it.

Yoav

v2.23.0 | Report a Bug | By Email