IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH) (was Moving Authentication Header (AH) to Historic)

Yoav Nir <ynir@checkpoint.com> Mon, 02 January 2012 07:31 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8282021F8EC2 for <ipsec@ietfa.amsl.com>; Sun, 1 Jan 2012 23:31:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.539
X-Spam-Level:
X-Spam-Status: No, score=-10.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th6j0AaASs-C for <ipsec@ietfa.amsl.com>; Sun, 1 Jan 2012 23:31:11 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 10D9121F84DD for <ipsec@ietf.org>; Sun, 1 Jan 2012 23:31:09 -0800 (PST)
X-CheckPoint: {4F015B18-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q027V7FL020939; Mon, 2 Jan 2012 09:31:07 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 2 Jan 2012 09:31:06 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 02 Jan 2012 09:31:02 +0200
Thread-Topic: [IPsec] Avoiding Authentication Header (AH) (was Moving Authentication Header (AH) to Historic)
Thread-Index: AczJIH0WWGdiUPZRTuGRm+KIZMKP4Q==
Message-ID: <4FD9C90A-13E1-478A-B21B-EBB41DE9A704@checkpoint.com>
References: <7C362EEF9C7896468B36C9B79200D8350D027BB14E@INBANSXCHMBSA1.in.alcatel-lucent.com> <4EFCBE95.8040408@gmail.com> <8521357F-B4E3-4D14-9D1E-996713C2F027@checkpoint.com> <CAA1nO71n5QHJ5GzHe6qVhVNGcvK-vkOgwEi4Y2i81vXmzON-xg@mail.gmail.com> <C72CBD9FE3CA604887B1B3F1D145D05E0122FEF3@szxeml528-mbx.china.huawei.com> <4EFF61B5.2030604@gmail.com> <7C4DFCE962635144B8FAE8CA11D0BF1E05A5CC9B26@MX14A.corp.emc.com> <6E38F4E9-8335-43F9-BA7A-9BB1E209E987@vpnc.org> <7C362EEF9C7896468B36C9B79200D8350D027BB274@INBANSXCHMBSA1.in.alcatel-lucent.com> <24EFE65B-86E0-4473-AF48-98B0C50F7041@vpnc.org> <7C362EEF9C7896468B36C9B79200D8350D027BB27B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20536.1325463074@marajade.sandelman.ca>
In-Reply-To: <20536.1325463074@marajade.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH) (was Moving Authentication Header (AH) to Historic)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 07:31:11 -0000

On Jan 2, 2012, at 2:11 AM, Michael Richardson wrote:

> 
> This property is simply undesireable for many security systems,
> including all VPNs.   
> 
> Having said all of this,  I agree that for 99% of "Use IPsec"
> statements, ESP-NULL is likely the correct choice.

I don't think you actually meant to say that, right?

Most of the "Use IPsec" statements are followed by "and you'd better have 128 bits of security in the encryption".

Having said that, there was a thread some months ago about making a modified AH that does not MAC the stuff in previous headers - only its own fields and what follows. That would solve the "AH does not work through NAT" problem, but would make it even more indistinguishable from ESP-NULL. Except what you said about it being just another header.

Yoav

v2.23.0 | Report a Bug | By Email