Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
Paul Wouters <paul@cypherpunks.ca> Wed, 26 February 2014 13:20 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ADBE1A030B for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 05:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PabcroPaxrML for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 05:20:40 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1C11A007F for <ipsec@ietf.org>; Wed, 26 Feb 2014 05:20:40 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C66F580D6D; Wed, 26 Feb 2014 08:20:37 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s1QDKbeZ008503; Wed, 26 Feb 2014 08:20:37 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 26 Feb 2014 08:20:37 -0500
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <C304982FF00F49BCB9A581CF122595FC@buildpc>
Message-ID: <alpine.LFD.2.10.1402260806260.3528@bofh.nohats.ca>
References: <530CE583.6030801@gmail.com> <C1A9B4B9-FABA-4EAB-B325-88DCB3F3D9CB@gmail.com> <alpine.LFD.2.10.1402251615220.21879@bofh.nohats.ca> <7722BB5C-67E3-4A26-B767-D31FA122ABFB@vpnc.org> <C304982FF00F49BCB9A581CF122595FC@buildpc>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/QHskMef5IPUYEMHkytR3dF9-hIM
Cc: ipsec <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 13:20:43 -0000
On Wed, 26 Feb 2014, Valery Smyslov wrote: >> It is for systems that don't implement AH. We should probably say this >> explicitly in section 3. > > I don't think it is limited for those systems only. > You may implement AH, but yon cannot use it > everywhere, as it is not compatible with NATs. > And ESP-NULL with Auth is the only substitute there. > So, it must be MUST for any system. Why did we not kill AH all together when Schneier and Ferguson told us so? :P But you are right. Perhaps some text along the line of: ESP-NULL offers the same protection as AH, but is more widely accepted and functional compared to AH. AH does not work through NATs and is not implemented in every IPsec stack. AH requires firewall rules different from ESP causing it to get accidentally filtered. ESP-NULL is also used in performance testing as a benchmark against ESP encryption algorithms. ESP-NULL should never be automatically selected as part of IKE unless explicitely configured as the only ESP encryption algorithm. Paul
- [IPsec] Working Group Last Call: draft-ietf-ipsec… Yaron Sheffer
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Yoav Nir
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Hoffman
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Hoffman
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Valery Smyslov
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Yaron Sheffer
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Stephen Kent
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Stephen Kent
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Tero Kivinen
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Valery Smyslov
- Re: [IPsec] Working Group Last Call: draft-ietf-i… RJ Atkinson
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Tero Kivinen
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Valery Smyslov
- Re: [IPsec] Working Group Last Call: draft-ietf-i… RJ Atkinson
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Wouters
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Hoffman
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Paul Hoffman
- Re: [IPsec] Working Group Last Call: draft-ietf-i… Valery Smyslov