Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <> Mon, 16 November 2009 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CBC03A6AE0 for <>; Mon, 16 Nov 2009 08:40:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0ooeCx7pghhZ for <>; Mon, 16 Nov 2009 08:40:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5626C3A6ADE for <>; Mon, 16 Nov 2009 08:40:02 -0800 (PST)
Received: from ([]) by with esmtp (Exim 4.63) (envelope-from <>) id 1NA4cP-0007A0-Cd; Mon, 16 Nov 2009 11:39:58 -0500
Mime-Version: 1.0
Message-Id: <p06240800c723d673384e@[]>
In-Reply-To: <>
References: <> <p06240800c720d4538dd2@> <p0624080ac7212e67c860@> <> <p0624080ec7213743dc05@> <> <> <> <p06240805c72267851254@[]> <> <p06240825c7229aead977@[]> <>
Date: Mon, 16 Nov 2009 11:39:30 -0500
To: Steven Bellovin <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "" <>, "Bhatia, Manav \(Manav\)" <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Nov 2009 16:40:03 -0000

>Divine guidance is, I suppose, one way to do protocol design, but it 
>could lead to *real* religious wars....

an appropriate caution given my typo :-).

>  >
>>  Also, note that IPSO and CIPSO are examples of options that were 
>>discussed at the IPSECME meeting this week, where there is a need 
>>to bind the options to the payload.  I observed that using tunnel 
>>mode (ESP) addresses this concern, but one could also note that 
>>using AH would do the same, with lower per-packet bandwidth 
>Or put the labels in the SA, since especially for IPSO you probably 
>want cryptographic separation of different security levels.

There are various options here. I know of devices that have opted to 
use ESP in tunnel mode to ensure the binding, and that is what I 
noted during the IPSECME WG session. I may know of an instance or two 
where AH has been used to do this, because if introduced less 
(bandwidth) overhead than tunnel mode. Implementations that make use 
of IPSO or CIPSO should negotiate the labels as part of the SA. The 
label should be part of the SPD, and be checked based on SAD entry 
data cached form the SPD. (Can you tell that I've been through al of 
this?) We had a presentation by Joy (remotely) on adding label 
support, as a new work item, which would explore these issues in more 
detail, if we choose to adopt this as a new Wg item.

>I did go through the analysis you suggest for IPv4 and concluded 
>that nothing was both protectable and useful.  I also noted the 
>following issue:
>	Furthermore, the AH spec says that we can't
>	enumerate the v4 options, and hence whether or not they should
>	be included or not -- but RFC1122 says that unknown IP options
>	MUST be silently ignored.  So an implementation can receive an
>	option that it doesn't recognize, doesn't know if it changes
>	en route, must be ignored anyway -- but may or may not be included
>	in the AH calculation, and the receiver doesn't know.
>Note, of course, that that was from 1995; I have not repeated the 
>analysis for newer AH or IPv6 specs.

I am not suggesting that any aspect of your analysis is flawed. I am 
suggesting that before the WG chooses to further deprecate AH, it 
needs to document the analysis supporting this decision, not just 
cite a couple of examples and make general statements in support of 
such an action.