Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

Paul Wouters <paul@cypherpunks.ca> Wed, 26 February 2014 13:20 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ADBE1A030B for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 05:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PabcroPaxrML for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 05:20:40 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1C11A007F for <ipsec@ietf.org>; Wed, 26 Feb 2014 05:20:40 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C66F580D6D; Wed, 26 Feb 2014 08:20:37 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s1QDKbeZ008503; Wed, 26 Feb 2014 08:20:37 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 26 Feb 2014 08:20:37 -0500 (EST)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <C304982FF00F49BCB9A581CF122595FC@buildpc>
Message-ID: <alpine.LFD.2.10.1402260806260.3528@bofh.nohats.ca>
References: <530CE583.6030801@gmail.com> <C1A9B4B9-FABA-4EAB-B325-88DCB3F3D9CB@gmail.com> <alpine.LFD.2.10.1402251615220.21879@bofh.nohats.ca> <7722BB5C-67E3-4A26-B767-D31FA122ABFB@vpnc.org> <C304982FF00F49BCB9A581CF122595FC@buildpc>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/QHskMef5IPUYEMHkytR3dF9-hIM
Cc: ipsec <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 13:20:43 -0000

On Wed, 26 Feb 2014, Valery Smyslov wrote:

>> It is for systems that don't implement AH. We should probably say this 
>> explicitly in section 3.
>
> I don't think it is limited for those systems only.
> You may implement AH, but yon cannot use it
> everywhere, as it is not compatible with NATs.
> And ESP-NULL with Auth is the only substitute there.
> So, it must be MUST for any system.

Why did we not kill AH all together when Schneier and Ferguson told us so? :P
But you are right. Perhaps some text along the line of:

 	ESP-NULL offers the same protection as AH, but is more widely
 	accepted and functional compared to AH. AH does not work through
 	NATs and is not implemented in every IPsec stack. AH requires
 	firewall rules different from ESP causing it to get accidentally
 	filtered.  ESP-NULL is also used in performance testing as
 	a benchmark against ESP encryption algorithms. ESP-NULL should
 	never be automatically selected as part of IKE unless explicitely
 	configured as the only ESP encryption algorithm.

Paul