IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Tero Kivinen <kivinen@iki.fi> Thu, 05 January 2012 14:23 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFBA21F87CA for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAmILNbgIjnT for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:23:14 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01EB021F8762 for <ipsec@ietf.org>; Thu, 5 Jan 2012 06:23:13 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id q05EN787018794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Jan 2012 16:23:07 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id q05EN6E9020690; Thu, 5 Jan 2012 16:23:06 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20229.45642.477101.356308@fireball.kivinen.iki.fi>
Date: Thu, 05 Jan 2012 16:23:06 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D028A2C92@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350D028A2953@INBANSXCHMBSA1.in.alcatel-lucent.com> <6442.1325686562@marajade.sandelman.ca> <7C362EEF9C7896468B36C9B79200D8350D028A2AE5@INBANSXCHMBSA1.in.alcatel-lucent.com> <4F05197A.9090505@ieca.com> <7C362EEF9C7896468B36C9B79200D8350D028A2C92@INBANSXCHMBSA1.in.alcatel-lucent.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 11 min
X-Total-Time: 10 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 14:23:17 -0000

Bhatia, Manav (Manav) writes:
> Hi Sean,
> 
> All I am saying is this:
> 
> There are many implementations that don't support AH as 4301 has a
> MAY support clause for AH.

Just noting that same is true for WESP. It is not mandatory to
implement, and I would claim there are way more implementations out
there supporting AH than there are supporting WESP. 

> Even within IETF there could be WGs looking at using or extending
> AH.

If there are some, just point us to them... anyways extending AH would
clearly require comments from the IPsec community so doing such thing
and not getting comments from this list would (or at least should) be
impossible.

> Given that ESP does everything useful that AH does, it makes no
> sense to continue using AH. I think we should have a draft that says
> this. However, there are some very corner cases where it *may* make
> sense to use AH (though I am still a little unconvinced, but I'll
> concede for the sake of moving on) and people are most welcome to do
> that.

ESP-NULL does not provide the "reliable 100% proof" ability to parse
past the header. WESP does, but that is in the same category in the
implementations than AH (MAY), so that does not help.

Heuristics does provide a way to parse past the headers, but people
claim it is not reliable enough for them, and again it is in same
category in the implementations. Altough deploying heuristics
implementation is faster as it only requires changes to middleboxes
not end nodes...

> If a WG ends up mandating AH (when ESP could have been used) then
> Yes it's a problem for everyone, right from the vendors to the
> users, who have to now support AH too in their products and
> networks.

If WG wants to mandate AH, and we cannot convince them otherwise,
having a document which says so does not help. On the other hand if we
have stealth WG trying to sneak AH past IPsec community, I think they
will also conviently ignore this document too.

In summary I do not think there is problem, and I do not think we need
to say anything about AH right now.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email