IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Tue, 03 January 2012 00:51 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D215021F8570 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:51:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.57
X-Spam-Level:
X-Spam-Status: No, score=-6.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8m-aCmJxt60 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:51:19 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 4511121F8578 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:51:18 -0800 (PST)
Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q030pENF027047 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Jan 2012 18:51:16 -0600 (CST)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q030pDvj025153 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 3 Jan 2012 06:21:13 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Tue, 3 Jan 2012 06:21:13 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: RJ Atkinson <rja.lists@gmail.com>, IPsec ME WG List <ipsec@ietf.org>
Date: Tue, 03 Jan 2012 06:21:14 +0530
Thread-Topic: [IPsec] Avoiding Authentication Header (AH)
Thread-Index: AczJkxInBdO5Vny7TbqD7b3S+vzqEwAHKC/Q
Message-ID: <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com>
In-Reply-To: <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:51:19 -0000

Ran,


> You might also be interested in the following draft which will be published as RFC any time now:
> http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-11

> I am well aware of it.  That document does NOT deprecate use of AH with OSPFv3 either.

It doesn't need to because nobody uses it.

The reason the above draft exists is because there were many people (at least service providers) who said that they did NOT want to use IPsec for OSPFv3. I am sure you have customers who love using IPsec for OSPFv3, but there is a larger percentage that doesn't.

>>> This WG ought not make existing legitimate uses of AH invalid or not recommended.  
> 
>> What makes you think that this draft is trying to do that?

> The text in your two drafts on the topic.

You did not understand the drafts.

Please point to specific text that you think "make existing legitimate uses of AH invalid or not recommended."

The draft only talks about future applications and protocols.

[clipped]

> For IPv6, there are multiple reasons, including but not limited to:
>	- There still is no 100% reliable way to parse past an
>	  ESP NULL header 

Would appreciate if you can explain why you think WESP cannot reliably parse past an ESP header?

>	-- IPv6 has strict rules on the order of headers
>	   and an ESP NULL header can't appear before either 
>	   a Routing Header or a Hop-by-Hop Options Header 
>	   because those two header types need to be 100% readable 
>	   by routers handling the IPv6 packet.

Routing Header is a security nightmare.

You were probably not aware that it has been recently deprecated by the IETF.

http://tools.ietf.org/html/rfc5095

>From the draft-bhatia-ipsecme-avoiding-ah-00:

   Hop-by-Hop options are not an issue, as the intermediate
   hops do not have keys to verify the message authentication code so
   they cannot really be protected anyways.

If you think not having ESP header before a few headers is a concern then we should fix that. If fixing this thing can get us rid of one protocol then its probably a good thing to do.

Cheers, Manav

v2.23.0 | Report a Bug | By Email