Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt

Paul Wouters <paul@cypherpunks.ca> Wed, 02 April 2014 22:13 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99E561A03FB for <ipsec@ietfa.amsl.com>; Wed, 2 Apr 2014 15:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZ9xRRP7qGNm for <ipsec@ietfa.amsl.com>; Wed, 2 Apr 2014 15:13:15 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id B86351A03F1 for <ipsec@ietf.org>; Wed, 2 Apr 2014 15:13:15 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8D009813B1 for <ipsec@ietf.org>; Wed, 2 Apr 2014 18:13:10 -0400 (EDT)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s32MDAWi016392 for <ipsec@ietf.org>; Wed, 2 Apr 2014 18:13:10 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 2 Apr 2014 18:13:10 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: IPsec ME WG List <ipsec@ietf.org>
In-Reply-To: <3760F0D0-F93A-4AFB-BBD4-772AA717F2B6@gmail.com>
Message-ID: <alpine.LFD.2.10.1404021746580.26966@bofh.nohats.ca>
References: <5FB505F6-3CC8-4685-851D-09BB05813542@gmail.com> <7AD00C63-C36C-47F0-9D41-916847F018A2@vpnc.org> <3760F0D0-F93A-4AFB-BBD4-772AA717F2B6@gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/EXkvDv_UM3rpCrVB6xpI42huAKA
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 22:13:20 -0000

On Wed, 2 Apr 2014, RJ Atkinson wrote:

>> The IPsec community generally prefers ESP with NULL encryption over AH.
>> AH is still required in some protocols and operational environments
>> when there are security-sensitive options in the IP header, such as
>> source routing headers.
>
> This does not make clear that ESP can't protect the IP options,
> which is an important-to-document limitation of ESP.

In my 15 years of IPsec work, I've hardly seen requests for AH. When our
KLIPS stack per default disabled AH support in the kernel module, no one
complained.

> It also should mention IP sensitivity label options, such as RFC-1108
> and RFC-5570 as a use case for AH, in addition to source-routing headers.

There are people that still accept source routing? How archaic....

I'm with Paul Hoffman here. I think the current text is fine.

Paul