Re: [IPsec] draft-bhatia-moving-ah-to-historic
Nick Hilliard <nick@inex.ie> Mon, 16 April 2012 16:23 UTC
Return-Path: <nick@inex.ie>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C7CC11E8099 for <ipsec@ietfa.amsl.com>; Mon, 16 Apr 2012 09:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7asrsQBCEBdr for <ipsec@ietfa.amsl.com>; Mon, 16 Apr 2012 09:23:02 -0700 (PDT)
Received: from mail.acquirer.com (mail.acquirer.com [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id BB1ED11E8091 for <ipsec@ietf.org>; Mon, 16 Apr 2012 09:22:48 -0700 (PDT)
X-Envelope-To: ipsec@ietf.org
Received: from dhcp-26-238.ripemtg.ripe.net ([IPv6:2001:67c:64:42:ad48:acbf:e018:9e1d]) (authenticated bits=0) by mail.acquirer.com (8.14.4/8.14.4) with ESMTP id q3GGMNJa004796 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 16 Apr 2012 17:22:29 +0100 (IST) (envelope-from nick@inex.ie)
Message-ID: <4F8C4747.5030902@inex.ie>
Date: Mon, 16 Apr 2012 18:22:31 +0200
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <4F8BFA0E.4080006@inex.ie> <5C94A95E-D36E-4474-8D17-0E17E2493E0F@checkpoint.com>
In-Reply-To: <5C94A95E-D36E-4474-8D17-0E17E2493E0F@checkpoint.com>
X-Enigmail-Version: 1.4
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] draft-bhatia-moving-ah-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 16:23:03 -0000
On 16/04/2012 12:25, Yoav Nir wrote: > It only adds confusion and complication in the sense that telnet adds > them (ESP is SSH in this analogy). To be fair, it adds a lot more confusion than telnet vs ssh. With my !inex.ie hats on, I see smart but untrained ops people attempting to configure up their firewall / vpn systems and not realise that AH is actually a separate protocol, but actually requires end-to-end support for protocol 51. Then they stumble on the fact that it doesn't work with NAT and further anxiety ensues. Debugging firewall problems is at least a level 2 support issue, and often requires escalation to level 3. This sort of support burden is expensive. > If you don't implement it you and your users don't get confused. It's not me using it - it's my clients' customers. The end-users are one level further removed from that. > Besides, the end users of IPsec who actually have to know what ESP is vs > what AH is are very sophisticated. They're not the people who simply > press "Connect" on their L2TP or VPN clients. Indeed, and I'm talking about operators who configure these services, not end users who click connect. > Maybe, maybe not. As ISPs move large blocks of users to a combination of > IPv6 and CGN, blocks of IPv4 address space may be freed up. But > regardless, NAT *is* going to be with us for a while, even in IPv6. I question whether we will ever transition to ipv6. I hope we will, but rate it somewhat unlikely at this stage of the Internet's evolution. This is a separate discussion though. IPv4 NAT will be around for the forseeable future - e.g. many decades at the very least. > Nothing's stopping you from proposing 4302bis, which will be compatible > with NATs. There just isn't much demand for changing AH like that. That particular wheel has already been invented many times at many layers (esp, ssl/tls, etc). > Suppose the TICTOC working group decide that they need packet > authentication for time signals, but not encryption. (makes sense, as > they only deliver the time of day). They can go with either AH or > ESP-Null. They also don't care about NAT, because NATs introduce so much > jitter, that they'll ruin the accuracy of PTP, so PTP does not go > through NAT anyway. They also first construct the IPsec packet, then > paste the timestamp where it's needed, and quickly calculate the hash. > If they can do this with less jitter with AH than with ESP, do you think > they'll actually care whether they're using a "current" or "historic" > standard? They'll just use whatever gets the job done better. This is an edge case. It's possible to create edge cases for anything. > Even "historic" does not mean everyone has to stop using it, even in new > standards. It just means that you have to have a really good > justification why you need that rather than ESP. That's the situation > already. Declaring it so doesn't help. The IETF is very self-deprecating about historic status. There's nothing wrong with a document saying: -- operators: this protocol has serious problems in practice. therefore we suggest you use $otherprotocol which has none of these problems and is better in almost every other respect. developers: don't bother. no point. -- Call it good housekeeping. Call it operational guidance that access providers can show to their customers about why AH is not a good idea. Whatever it's called, historic status is a good place for moribund protocols to be placed, lovingly or otherwise. > Well, this draft generated a 77-post thread. Then the mailing list got > quiet about it, and we had three months without any mention of AH. Sounds pretty typical for most mailing lists...? > I think moving it to historic creates a lot more mailing list chatter > than ignoring it. Right now yes. But this argument will go round in circles for the next 50 years until people finally accept that AH is generally not useful. During that time, there will be much mailing list chatter about it, on this and other lists. Best consign it to history and close that particular door. It was good while it was relevant, but those times are gone. Nick
- [IPsec] draft-bhatia-moving-ah-to-historic Nick Hilliard
- Re: [IPsec] draft-bhatia-moving-ah-to-historic Yoav Nir
- Re: [IPsec] draft-bhatia-moving-ah-to-historic Nick Hilliard