Re: [IPsec] Avoiding Authentication Header (AH)
Jack Kohn <kohn.jack@gmail.com> Tue, 03 January 2012 00:15 UTC
Return-Path: <kohn.jack@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6F021F84A7 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfVe+Iybwkjm for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:15:37 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 6F22A21F8450 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:15:37 -0800 (PST)
Received: by qadz3 with SMTP id z3so10363073qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 16:15:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=KtrrABJidV8gzDqvHK66c/8BM5wgwEqNRgTxdvvQZQ8=; b=LFbSNQ3l2Bg1boO9xBKiiC4RGkt8K/t2kiCt2uXRRo10oqerZK2Jvo9491m69JI+vi dFvliq4vshYJUlY3/NPH9EOEchfT8MF9YPzeHWHK3sPoT4BrRNKmdPrnlB5alV2aDupl 8heofs6KoCKO1si4VCirF2dpD+NMwTyI8uneE=
MIME-Version: 1.0
Received: by 10.224.198.65 with SMTP id en1mr36767370qab.81.1325549734089; Mon, 02 Jan 2012 16:15:34 -0800 (PST)
Received: by 10.229.39.139 with HTTP; Mon, 2 Jan 2012 16:15:34 -0800 (PST)
In-Reply-To: <065A8A60-0342-47AC-84EE-8A312F60BB5F@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <CAA1nO72z3yuOYkwkHCDphmOsVrFtrgq-0xWviY7XRC2vMS9kFg@mail.gmail.com> <639319E3-7725-4F23-9F78-46BB49FCF172@gmail.com> <CAA1nO73JiQTPM7n5ULeFEtNC2fffgxiqN=rmu8Q1hf8aGaJULQ@mail.gmail.com> <065A8A60-0342-47AC-84EE-8A312F60BB5F@gmail.com>
Date: Tue, 03 Jan 2012 05:45:34 +0530
Message-ID: <CAA1nO71GwEPX1udyu=42d=1UZXr4bCporb2uyh4n3-t9V6gVzg@mail.gmail.com>
From: Jack Kohn <kohn.jack@gmail.com>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:15:38 -0000
We all know the different extension headers that exist in IPv6. You said AH helps in securing IPv6 extension headers. I want to understand which extension header did you specifically have in mind. You cant protect fragmentation header, since fragmentation is done after IPsec processing and the reassembly is done before IPsec processing. In case of Hop-by-Hop and Destination Options Header, its only the Option Type and the Option Length thats included in the AH ICV calculation. The data may or may not be included depending upon whether it can be modified in transit or not. ESP does not include the Option Type nad the Length. So, whats the *real* operational risk that youre looking at? AH covers the destination IP and the source IP. If somebody changes them, IPsec processing will fail at the SPD checks. So what do you gain by doing this? Again, whats the *real* gain that we get by AH? Jack On Tue, Jan 3, 2012 at 5:25 AM, RJ Atkinson <rja.lists@gmail.com> wrote: > > On 02 Jan 2012, at 18:25 , Jack Kohn wrote: >>> Similar IPv6 examples exist. >> >> And i would like to know what those are. >> >> What about IPv6? > > As I noted, a range of examples exist for IPv6, > and another range of examples exist for IPv4. > > If one is inclined to study further, one possible > starting place is the IANA registries of IP options > and optional headers. Most, but sadly not all, > currently defined IPv4 and IPv6 options are listed > by IANA in various registries: > > <http://www.iana.org> > > Yours, > > Ran > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Venkatesh Sriram
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] WESP and reliability RJ Atkinson
- Re: [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] WESP and reliability Bhatia, Manav (Manav)
- Re: [IPsec] WESP and reliability Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Sean Turner
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Markku Savela
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Yoav Nir
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Panos Kampanakis