IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Jack Kohn <kohn.jack@gmail.com> Tue, 03 January 2012 00:15 UTC

Return-Path: <kohn.jack@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6F021F84A7 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfVe+Iybwkjm for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:15:37 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 6F22A21F8450 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:15:37 -0800 (PST)
Received: by qadz3 with SMTP id z3so10363073qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 16:15:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=KtrrABJidV8gzDqvHK66c/8BM5wgwEqNRgTxdvvQZQ8=; b=LFbSNQ3l2Bg1boO9xBKiiC4RGkt8K/t2kiCt2uXRRo10oqerZK2Jvo9491m69JI+vi dFvliq4vshYJUlY3/NPH9EOEchfT8MF9YPzeHWHK3sPoT4BrRNKmdPrnlB5alV2aDupl 8heofs6KoCKO1si4VCirF2dpD+NMwTyI8uneE=
MIME-Version: 1.0
Received: by 10.224.198.65 with SMTP id en1mr36767370qab.81.1325549734089; Mon, 02 Jan 2012 16:15:34 -0800 (PST)
Received: by 10.229.39.139 with HTTP; Mon, 2 Jan 2012 16:15:34 -0800 (PST)
In-Reply-To: <065A8A60-0342-47AC-84EE-8A312F60BB5F@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <CAA1nO72z3yuOYkwkHCDphmOsVrFtrgq-0xWviY7XRC2vMS9kFg@mail.gmail.com> <639319E3-7725-4F23-9F78-46BB49FCF172@gmail.com> <CAA1nO73JiQTPM7n5ULeFEtNC2fffgxiqN=rmu8Q1hf8aGaJULQ@mail.gmail.com> <065A8A60-0342-47AC-84EE-8A312F60BB5F@gmail.com>
Date: Tue, 03 Jan 2012 05:45:34 +0530
Message-ID: <CAA1nO71GwEPX1udyu=42d=1UZXr4bCporb2uyh4n3-t9V6gVzg@mail.gmail.com>
From: Jack Kohn <kohn.jack@gmail.com>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:15:38 -0000

We all know the different extension headers that exist in IPv6.

You said AH helps in securing IPv6 extension headers. I want to
understand which extension header did you specifically have in mind.

You cant protect fragmentation header, since fragmentation is done
after IPsec processing and the reassembly is done before IPsec
processing.

In case of Hop-by-Hop and Destination Options Header, its only the
Option Type and the Option Length thats included in the AH ICV
calculation. The data may or may not be included depending upon
whether it can be modified in transit or not.

ESP does not include the Option Type nad the Length.

So, whats the *real* operational risk that youre looking at?

AH covers the destination IP and the source IP. If somebody changes
them, IPsec processing will fail at the SPD checks. So what do you
gain by doing this?

Again, whats the *real* gain that we get by AH?

Jack

On Tue, Jan 3, 2012 at 5:25 AM, RJ Atkinson <rja.lists@gmail.com> wrote:
>
> On 02  Jan 2012, at 18:25 , Jack Kohn wrote:
>>> Similar IPv6 examples exist.
>>
>> And i would like to know what those are.
>>
>> What about IPv6?
>
> As I noted, a range of examples exist for IPv6,
> and another range of examples exist for IPv4.
>
> If one is inclined to study further, one possible
> starting place is the IANA registries of IP options
> and optional headers.  Most, but sadly not all,
> currently defined IPv4 and IPv6 options are listed
> by IANA in various registries:
>
>        <http://www.iana.org>
>
> Yours,
>
> Ran
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email