IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Tero Kivinen <kivinen@iki.fi> Thu, 05 January 2012 14:00 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B7C21F881B for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:00:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mop29aU7nMH0 for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:00:45 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id 160D221F8817 for <ipsec@ietf.org>; Thu, 5 Jan 2012 06:00:44 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id q05E0bgL006932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Jan 2012 16:00:37 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id q05E0aum018931; Thu, 5 Jan 2012 16:00:36 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20229.44292.629825.7429@fireball.kivinen.iki.fi>
Date: Thu, 05 Jan 2012 16:00:36 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D028A2AE4@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com> <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com> <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com> <CAK3OfOg0Gsxxf8T66XNVLHtR1Tk9yHFDGw96tr0UkEh6x5uYpQ@mail.gmail.com> <48CB2A9F-D59C-462F-8C7A-82127A217703@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D028A2AE4@INBANSXCHMBSA1.in.alcatel-lucent.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 18 min
X-Total-Time: 18 min
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 14:00:46 -0000

Bhatia, Manav (Manav) writes:
> > There is no evidence of any recent change either to the operational 
> > circumstances or to the available alternatives.  So no update is
> > appropriate at this time. 
> 
> One major recent change is the publication of WESP [RFC 5840] and
> the standard for using Heuristics for detecting ESP-NULL packets
> [RFC 5879].  
> 
> This takes away one major reason why folks wanted to use AH - that
> of being able to deep inspect packets. 
> 
> Even the NIST guidelines for IPv6 deployment says that the main
> argument in favor of AH is the ability to inspect packets. With WESP
> even that goes away. 

Getting WESP implemented to the boxes will require a lot of time.
There are still lots of boxes which do not even support IKEv2 (which
is required for WESP) and IKEv2 has been out for 6 years already. AH
might already be implemented on some boxes, so using it might offer
faster deployment time than WESP. The only *protocol* benefit WESP
have over AH is that it works through NATs.

As I see it the main reason AH is now MAY, not MUST, is that there has
not been that much use for it, and that has caused it to be as second
class citizen in the VPN driven IPsec work. Because of that testing
etc has been somewhat ommitted. For example most of the
interoperability events has concentrated ESP testing, and only very
briefly done some AH testing (if there has been extra time).

Because quite a lot of IPsec development have been driven by the VPN
vendors, who do not have use for AH (or WESP), those vendors have seen
the previous mandatory to implment AH, as unnecessary burden for their
implementations. Thats why degrading it to MAY was good way forward in
the RFC4301.

This does not mean there is no use for AH in some environments. I
personally (at least now) think that it would have been more useful to
just say use AH than to create WESP (and heuristics) at all... That
would have given some use cases for AH, which would have then perhaps
moved it back to used track in the IPsec protocol family.

I myself think there is no reason to say anything about AH at this
point. It is MAY, so nobody needs to implement it. Every new protocol
using IPsec should consider whether they want to use ESP, ESP-NULL,
WESP, or AH and make their own decisions based on what would be best
for that environment and protocol. I.e if you require confidentiality
then you needs to use ESP, if you require transport mode outer IP
option protection you need to use AH, otherwise you can pick any of
them...

If you want to make sure other protocols do not unnecessarely specify
AH for their use, you should just participate in writing those
specifications and explain why do you think AH should be avoided in
that environment. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email