IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Jack Kohn <kohn.jack@gmail.com> Mon, 02 January 2012 19:24 UTC

Return-Path: <kohn.jack@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7C21F0C48 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 11:24:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CGMeeyTmyir for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 11:24:44 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 444FD1F0C3F for <ipsec@ietf.org>; Mon, 2 Jan 2012 11:24:44 -0800 (PST)
Received: by qadb15 with SMTP id b15so9218063qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 11:24:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xER+IDHrK0dpnu1mWAPzpwjQX0ZjNh/FBMgT4uEw8VI=; b=FKpfyHf8WPNp3jrU+JPWBjK/ncFvEClqTavyV0UniJPV5iKThZQnvtzoBYj1jScEZY EeoMQFup3Bj5SV28/nODKqjHDsM26v6UV6XNYt+vzM6ZSkMeDd4arR3Bqs9gOaEJ5D2C Tu/Cf929EjNBt0rx82DadGotDq1MPBef1e5/Q=
MIME-Version: 1.0
Received: by 10.224.10.19 with SMTP id n19mr58054802qan.68.1325532282597; Mon, 02 Jan 2012 11:24:42 -0800 (PST)
Received: by 10.229.39.139 with HTTP; Mon, 2 Jan 2012 11:24:42 -0800 (PST)
In-Reply-To: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com>
Date: Tue, 03 Jan 2012 00:54:42 +0530
Message-ID: <CAA1nO73AL-n+rfRuJegN=j7NQ0y7=6uxpNtZ9mCCJRW6OjxwEg@mail.gmail.com>
From: Jack Kohn <kohn.jack@gmail.com>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 19:24:45 -0000

>
> While AH uses are limited today, just as the use of
> IP options/extensions are limited today, current active
> uses of AH in real-world deployments today include at least
> these -- built using commercial off-the-shelf products:

BTW, there is a discussion going on in NANOG on who uses AH and nobody
seems to be raising their hands.

Obviously, one cant take draw to much from that, but it just gives you
a data point.

Jack.

>
>        - AH with IPv4 to authenticate sensitivity label
>          options (e.g. FIPS-188, RFC-1108).
>
>        - AH with IPv4 to prevent options-based attacks,
>          primarily in certain high-threat environments.
>
>        - AH with IPv6 to authenticate certain IPv6
>          extension headers and options, primarily in
>          certain high-threat environments.
>
>        - AH with IPv6 to prevent extension-header-based
>          and options-based attacks, primarily in certain
>          high-threat environments.
>
>        - Many IPv6 deployments using OSPFv3 have enabled
>          OSPFv3 protection using AH.  Most router vendors,
>          including (for example) multiple product lines
>          from both Cisco and Juniper, shipped this capability
>          long ago -- and this use of AH is both interoperable
>          and widespread, largely within IPv6 enterprise
>          deployments.  OSPFv3 itself is largely deployed in
>          enterprises today, as I/IS-IS is more popular with
>          ISPs.
>
>          [NOTE WELL:  AH for OSPFv3 has NOT been deprecated, and
>          remains on the IETF standards track.  It is interesting,
>          however, that author of this AH draft is trying to kill
>          off the use of AH to protect routing information --
>          apparently because his employer does not offer this
>          AH for OSPFv3 capability in its released products.]
>
>        - Some IPv6 profiles, including the US Government
>          profile for IPv6, require AH support either generally
>          or in certain situations (example: to protect OSPFv3,
>          to authenticate certain IP options or IP extension
>          headers).
>
> This WG ought not make existing legitimate uses of AH
> invalid or not recommended.  There is no available alternative
> for authenticating IP-layer options, extension headers,
> and so forth.  AH is the only available way to do such
> authentication at present.
>
>
> FIREWALLS & MIDDLEBOXES:
>
> While this WG has produced some documents with guidance
> on how to approach parsing past an ESP header when NULL
> encryption is used, we still do not have a completely
> reliable way to parse past an ESP header when NULL
> encryption is used.
>
> By contrast, it is easy and quick to parse past an AH header
> -- either in the end system or in a firewall/router/middlebox.
> Several deployed firewall products in fact can and do
> parse past AH headers, either to perform deep packet inspection
> or simply to examine the transport protocol and port information.
>
>
> IETF PROCESS RULES:
>
> Last, on an IETF Process note, the IPsec WG Charter posted
> online is quite strict and is narrowly defined, with an
> enumerated list of allowed work items.  To quote from
> the charter:
>
>        "The scope of the WG is restricted to the
>        work items listed above."
>
> Neither changes to AH status nor Applicability Statements
> for AH are listed in the WG Charter.
>
> So it is not obvious that this document is within the charter
> for the IPsec ME WG.
>
> If the IPsec ME WG Chairs believe this work is within charter,
> they ought to post a note to the IPsec ME WG mailing list
> citing the specific charter text authorising this topic.
>
> IPsec ME Charter:
>        <http://datatracker.ietf.org/wg/ipsecme/charter/>
>
> A draft outside the Charter of an IETF WG ought not
> be developed by or within that WG.  So I don't see
> how this document properly can be considered by this WG.
>
>
> Yours,
>
> Ran
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email