IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Mon, 02 January 2012 15:16 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1271821F889A for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 07:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.567
X-Spam-Level:
X-Spam-Status: No, score=-6.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2e6AeFOOA8p for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 07:16:17 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id 697FC21F888A for <ipsec@ietf.org>; Mon, 2 Jan 2012 07:16:17 -0800 (PST)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id q02FGDHN021463 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Jan 2012 09:16:15 -0600 (CST)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q02FGBgV030642 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 2 Jan 2012 20:46:12 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Mon, 2 Jan 2012 20:46:11 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: RJ Atkinson <rja.lists@gmail.com>, IPsec ME WG List <ipsec@ietf.org>
Date: Mon, 02 Jan 2012 20:46:10 +0530
Thread-Topic: [IPsec] Avoiding Authentication Header (AH)
Thread-Index: AczJW6T+2hHNazq9RyqDMuiFB0e25AAA+hbw
Message-ID: <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
In-Reply-To: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 15:16:18 -0000

[clipped]

> Most major IPv6 routers, for example multiple product lines from both Cisco 
> and Juniper, also support AH in shipping product and have done for some while now.  
> So AH remains a very widely available protocol.

It may be widely available, but clearly it isnt as widely used.

Are you suggesting that newer protocols should mandate AH or they should be proposing extensions to AH? I think all we're saying is that newer protocols should suggest extensions to ESP-NULL wherever possible. They must have a good reason to suggest mandating AH. What is the problem with this?

>	- Many IPv6 deployments using OSPFv3 have enabled
>	  OSPFv3 protection using AH.  Most router vendors,
>	  including (for example) multiple product lines 
>	  from both Cisco and Juniper, shipped this capability 
>	  long ago -- and this use of AH is both interoperable 
>	  and widespread, largely within IPv6 enterprise
>	  deployments.  OSPFv3 itself is largely deployed in
>	  enterprises today, as I/IS-IS is more popular with
>	  ISPs.

The RFC that describes OSPFv3 authentication has the following line:

In order to provide authentication to OSPFv3, implementations MUST support ESP and MAY support AH.

You might also be interested in the following draft which will be published as RFC any time now:
http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-11

>
>	  [NOTE WELL:  AH for OSPFv3 has NOT been deprecated, and
>	  remains on the IETF standards track.  It is interesting,
>	  however, that author of this AH draft is trying to kill 
>	  off the use of AH to protect routing information -- 
>	  apparently because his employer does not offer this 
>	  AH for OSPFv3 capability in its released products.]

Really? I would like to try whatever you've been smoking.

>	- Some IPv6 profiles, including the US Government
>	  profile for IPv6, require AH support either generally
>	  or in certain situations (example: to protect OSPFv3,
>	  to authenticate certain IP options or IP extension
>	  headers).

Just trying to understand. Is there a reason why ESP-NULL cant be used?

> This WG ought not make existing legitimate uses of AH invalid or not recommended.  

What makes you think that this draft is trying to do that?

> There is no available alternative for authenticating IP-layer options, extension headers, and so forth.  
> AH is the only available way to do such authentication at present.

If you include the ESP header before the extension headers can you not use it to authenticate the extension headers?

> FIREWALLS & MIDDLEBOXES:
>
> While this WG has produced some documents with guidance on how to approach parsing 
> past an ESP header when NULL encryption is used, we still do not have a completely 
> reliable way to parse past an ESP header when NULL encryption is used.  

And pray why is that?

Manav

v2.23.0 | Report a Bug | By Email