IETF Logo Mail Archive

Re: [IPsec] Moving Authentication Header (AH) to Historic

Venkatesh Sriram <vnktshsriram@gmail.com> Fri, 30 December 2011 16:47 UTC

Return-Path: <vnktshsriram@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A91621F845A for <ipsec@ietfa.amsl.com>; Fri, 30 Dec 2011 08:47:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xk4KALBC8Z7F for <ipsec@ietfa.amsl.com>; Fri, 30 Dec 2011 08:47:03 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 80B3C21F843E for <IPsec@ietf.org>; Fri, 30 Dec 2011 08:47:03 -0800 (PST)
Received: by yenm7 with SMTP id m7so8935629yen.31 for <IPsec@ietf.org>; Fri, 30 Dec 2011 08:47:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=lCxN7g0186BcmUCVEyzomfv0MjQVWnqZ2uxZGYrJInM=; b=Gs5m9CshcZC//f++evnPKoScgwdGDwlujJPkM0coQFE2l9Uu/a9/PTX4rjOWCouDBu 8lwEv4o3lUahy1rhd0qIbgkVnKzPjCaI/4Fw1r6eLIMWJJCjwziOSN5n3sD//RYzaa3y 4r04pAl7RZ1y9YBYkHpzM+W/rMF/DYs9DLFFY=
MIME-Version: 1.0
Received: by 10.236.77.170 with SMTP id d30mr34767169yhe.67.1325263622813; Fri, 30 Dec 2011 08:47:02 -0800 (PST)
Received: by 10.236.183.228 with HTTP; Fri, 30 Dec 2011 08:47:02 -0800 (PST)
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D027BB14E@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350D027BB14E@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Fri, 30 Dec 2011 22:17:02 +0530
Message-ID: <CAObD46tphBqALP7iamX1undNzTXKS15962L6B3VOW-REAEuegA@mail.gmail.com>
From: Venkatesh Sriram <vnktshsriram@gmail.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "IPsec@ietf.org" <IPsec@ietf.org>
Subject: Re: [IPsec] Moving Authentication Header (AH) to Historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2011 16:47:04 -0000

AH and ESP can theoretically be applied in combination with each other
to exploit the strengths of both protocols but, in most real-world
scenarios, ESP alone is enough.

When used together, AH authentication and ESP encryption results in a
higher percentage increase in network load for small files when
compared to ESP encryption and authentication. If the percentage of
small files sent over a network is significant and the network has
limited bandwidth (wireless?), then its always better to use ESP
instead of AH to provide authentication.

I am yet to come across a really compelling argument in favor of AH.

A small nit - You should also mention RFC 5879 - "Heuristics for
Detecting ESP-NULL Packets" along side RFC 5840 - WESP when you
discuss deep inspecting ESP-NULL packets.

Sriram
On Fri, Dec 30, 2011 at 12:21 AM, Bhatia, Manav (Manav)
<manav.bhatia@alcatel-lucent.com> wrote:
> Hi,
>
> We have had several discussions in the past about the utility of AH when ESP with NULL encryption offers everything that AH has to offer. I have written a very small draft that recommends moving AH to the Historic status. This document does NOT deprecate AH and it does NOT mean that people should stop using AH now. All it means is that other WGs should use ESP-NULL whenever defining integrity verification mechanisms and should only use AH when authentication cannot be achieved with ESP-NULL. I also discuss a few points that people usually put in favor of AH over ESP and why I think that those are not very relevant.
>
> I would love to hear feedback from the WG.
>
> The URL for the draft is:
> http://www.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt
>
> Happy New Year in advance!
>
> Cheers, Manav
>
> From: internet-drafts@ietf.org
> To: i-d-announce@ietf.org
> Reply-to: internet-drafts@ietf.org
> Subject: I-D Action: draft-bhatia-moving-ah-to-historic-00.txt
> X-RSN: 1/0/935/40711/44097
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>
> Title : Moving Authentication Header (AH) to Historic
> Author(s) : Manav Bhatia
> Filename : draft-bhatia-moving-ah-to-historic-00.txt
> Pages : 5
> Date : 2011-12-29
>
> This document recommends retiring Authentication Header (AH) and
> discusses the reasons for doing so. It recommends moving RFC 4302 to
> Historic status.
>
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.41.0 | Report a Bug | By Email | System Status