IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

RJ Atkinson <rja.lists@gmail.com> Mon, 02 January 2012 21:11 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B301721F8AD9 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 13:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKfiV7EaP2eA for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 13:11:11 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id EB8A121F8AD8 for <ipsec@ietf.org>; Mon, 2 Jan 2012 13:11:10 -0800 (PST)
Received: by qadz3 with SMTP id z3so10310266qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 13:11:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=7dswbG4z9P7TPT7EgTJnV/cbV6F1cnr4YJx/5uKppU8=; b=bV+SXdhhTA8O13co3bBjaz9tgwCtYU5IkC+hsD3Jkdy/11dt7ZcBIBhqcjuUesCAll lWXg5x6xhUwINswmUtBnA+C39fcIeeg75uU2mIdztchduRWuSV6t3d9jY3uOJvPkkSQa p1FdL6GYKUj21slq1hgw2Q298ehaMam7KbI2I=
Received: by 10.224.192.3 with SMTP id do3mr58651917qab.58.1325538669300; Mon, 02 Jan 2012 13:11:09 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id dk2sm26722292qab.12.2012.01.02.13.11.07 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 13:11:08 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Mon, 02 Jan 2012 16:11:08 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 21:11:11 -0000

On 02  Jan 2012, at 10:16 , Bhatia, Manav (Manav) wrote:

> [clipped]
> 
>> Most major IPv6 routers, for example multiple product lines from both Cisco 
>> and Juniper, also support AH in shipping product and have done for some while now.  
>> So AH remains a very widely available protocol.
> 
> It may be widely available, but clearly it isnt as widely used.

Use of AH to protect OSPFv3 is not uncommon within
the set of sites that deploy OSPFv3.  It provides
protections that no other mechanism can provide,
for example it can be used to detect options-based
attacks.

> You might also be interested in the following draft which will be published as RFC any time now:
> http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-11

I am well aware of it.  That document does NOT deprecate 
use of AH with OSPFv3 either.

>> 	- Some IPv6 profiles, including the US Government
>> 	  profile for IPv6, require AH support either generally
>> 	  or in certain situations (example: to protect OSPFv3,
>> 	  to authenticate certain IP options or IP extension
>> 	  headers).
> 
> Just trying to understand. Is there a reason why ESP-NULL cant be used?

I gave a list earlier of a number of different scenarios where
and reasons why AH is used.  A subset of that list:
	- ESP null does not protect options/optional headers.
	- ESP null cannot reliably be parsed past.

>> This WG ought not make existing legitimate uses of AH invalid or not recommended.  
> 
> What makes you think that this draft is trying to do that?

The text in your two drafts on the topic.

>> There is no available alternative for authenticating IP-layer options, extension headers, and so forth.  
>> AH is the only available way to do such authentication at present.
> 
> If you include the ESP header before the extension headers can you not use it to authenticate the extension headers?

That isn't possible, for various reasons.  

For IPv4, options always appear before the ESP header.

For IPv6, there are multiple reasons, including but not
limited to:
	- There still is no 100% reliable way to parse past an
	  ESP NULL header 
	-- IPv6 has strict rules on the order of headers
	   and an ESP NULL header can't appear before either 
	   a Routing Header or a Hop-by-Hop Options Header 
	   because those two header types need to be 100% readable 
	   by routers handling the IPv6 packet.


>> FIREWALLS & MIDDLEBOXES:
>> 
>> While this WG has produced some documents with guidance on how to approach parsing 
>> past an ESP header when NULL encryption is used, we still do not have a completely 
>> reliable way to parse past an ESP header when NULL encryption is used.  
> 
> And pray why is that?

The existing documents' methods aren't 100% reliable.
I wish they were, but they aren't.

Yours,

Ran

v2.23.0 | Report a Bug | By Email