Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

"Valery Smyslov" <svanru@gmail.com> Wed, 26 February 2014 07:07 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA1BD1A0864 for <ipsec@ietfa.amsl.com>; Tue, 25 Feb 2014 23:07:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.139
X-Spam-Level: *
X-Spam-Status: No, score=1.139 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ambCvTtZ4Od6 for <ipsec@ietfa.amsl.com>; Tue, 25 Feb 2014 23:07:03 -0800 (PST)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 3C2E01A0860 for <ipsec@ietf.org>; Tue, 25 Feb 2014 23:07:03 -0800 (PST)
Received: by mail-la0-f44.google.com with SMTP id hr13so323841lab.17 for <ipsec@ietf.org>; Tue, 25 Feb 2014 23:07:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=kk0yO0e//URML6UuCZocFPSc9AFDimPaMuQZNWibDd8=; b=QRwxhHU6ENMoJ7mKeDD1VVlrsQ4+KZw1kcs8p8bK9wr4yVfvEAbwTAVkKMNwr1Kf0g quWBnm+c7TTiDN2CxuMQrO+5gjq2gpB3fX4GtrrchXMgpOpg1GNXa6dQdjd0x8drkLiK sqolWamD+pZa9UtfqaG9wSvXL/dZZ6VmMVADXtQSpI+FgNU3b5kp3EUvt0W32jWZsq+l ePW7h7JK4Jooesq2WGdIChRCG5I5a5RxeuFHSSD2rCkvGgtOeDKHcV3BIn0VOwddU3kQ mcPw7vENqviTZiQpDlm7qVehR9op3I8AN5o7E13MLJKlkYaPif1V1UX1oraHjWITaGIF rUcA==
X-Received: by 10.152.205.197 with SMTP id li5mr311599lac.50.1393398421291; Tue, 25 Feb 2014 23:07:01 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id 10sm3728688lan.5.2014.02.25.23.06.59 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 25 Feb 2014 23:07:00 -0800 (PST)
Message-ID: <C304982FF00F49BCB9A581CF122595FC@buildpc>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Paul Hoffman" <paul.hoffman@vpnc.org>, "Paul Wouters" <paul@cypherpunks.ca>
References: <530CE583.6030801@gmail.com> <C1A9B4B9-FABA-4EAB-B325-88DCB3F3D9CB@gmail.com> <alpine.LFD.2.10.1402251615220.21879@bofh.nohats.ca> <7722BB5C-67E3-4A26-B767-D31FA122ABFB@vpnc.org>
Date: Wed, 26 Feb 2014 11:07:11 +0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/7XfL9k01l7Lhr5x7SykuKKz16HQ
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 07:07:05 -0000

Hi Paul,

>> It lists NULL ESP as a MUST. Wasn't this a MUST a leftover from the old
>> crypto export restrictions? While I think NULL ESP is a good debugging
>> tool, and a good replacement for AH in general, I don't think this is
>> really a MUST item (unless you would actually advise people to migrate
>> from AH to ESP NULL, in which case I'll cheer on this MUST)
>
> It is for systems that don't implement AH. We should probably say this 
> explicitly in section 3.

I don't think it is limited for those systems only.
You may implement AH, but yon cannot use it
everywhere, as it is not compatible with NATs.
And ESP-NULL with Auth is the only substitute there.
So, it must be MUST for any system.

Regards,
Valery Smyslov.