IETF Logo Mail Archive

Re: [Ipsec] draft-ietf-ipsec-rfc2402bis-07.txt ... Suggest moving the "Flow Label" IPv6 base header field to "immutable" and protecting with AH

Stephen Kent <kent@bbn.com> Thu, 09 September 2004 19:08 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA13098 for <ipsec-archive@lists.ietf.org>; Thu, 9 Sep 2004 15:08:29 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C5UAV-0004wI-L5; Thu, 09 Sep 2004 15:01:15 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C5U8m-0002LF-GA for ipsec@megatron.ietf.org; Thu, 09 Sep 2004 14:59:28 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA12234 for <ipsec@ietf.org>; Thu, 9 Sep 2004 14:59:26 -0400 (EDT)
Received: from portal.tislabs.com ([192.94.214.101] helo=lists.tislabs.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C5UCf-0008OM-Ir for ipsec@ietf.org; Thu, 09 Sep 2004 15:03:31 -0400
Received: from nutshell.tislabs.com (firewall-user@nutshell.tislabs.com [192.94.214.100]) by lists.tislabs.com (8.11.6/8.11.6) with ESMTP id i89It1d25360 for <ipsec@lists.tislabs.com>; Thu, 9 Sep 2004 14:55:01 -0400 (EDT)
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id i89IuSLw008923 for <ipsec@lists.tislabs.com>; Thu, 9 Sep 2004 14:56:28 -0400 (EDT)
Received: from aragorn.bbn.com(128.33.0.62) by nutshell.tislabs.com via csmap (V6.0) id srcAAA5yaWzr; Thu, 9 Sep 04 14:56:25 -0400
Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i89Ix7jf007295; Thu, 9 Sep 2004 14:59:10 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@po2.bbn.com
Message-Id: <p06110400bd638f660c4f@[128.89.89.75]>
In-Reply-To: <200409032247.i83MlKSj064922@givry.rennes.enst-bretagne.fr>
References: <200409032247.i83MlKSj064922@givry.rennes.enst-bretagne.fr>
Date: Thu, 09 Sep 2004 14:58:36 -0400
To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
From: Stephen Kent <kent@bbn.com>
Subject: Re: [Ipsec] draft-ietf-ipsec-rfc2402bis-07.txt ... Suggest moving the "Flow Label" IPv6 base header field to "immutable" and protecting with AH
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
X-Spam-Score: 1.0 (+)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
Cc: ipsec@lists.tislabs.com
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Francis,

I looked at RFC 3697.  It does state that AH does not protect flow 
labels, which is consistent with the old AH spec (RFC 2402). So, if 
we were to change this in the new AH spec, there would be a conflict. 
Also, the security analysis in 3697 argues that since there is no 
protection of the flow spec value, intermediate systems cannot rely 
on it and an end IPsec implementation cannot rely on it in transport 
mode.  I agree that it is unlikely that we would be able to manage 
key distribution for intermediate systems to be able to check the AH 
ICV, which supports your argument that it is not worth including it 
in the ICV computation.
However, if we choose to maintain backward compatibility with 2402, 
we need to clarify in 2402bis that this is the reason for not 
including the value in the ICV computation, as opposed to the 
current, erroneous rationale.

Is the WG comfortable with the status quo, i.e., NOT including the 
flow label in the ICV, despite the fact that it is immutable?

Steve

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email