IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Nico Williams <nico@cryptonector.com> Wed, 04 January 2012 05:49 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BDA21F84E1 for <ipsec@ietfa.amsl.com>; Tue, 3 Jan 2012 21:49:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hlUUBvhgo4M for <ipsec@ietfa.amsl.com>; Tue, 3 Jan 2012 21:49:07 -0800 (PST)
Received: from homiemail-a89.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 304DD21F84DE for <ipsec@ietf.org>; Tue, 3 Jan 2012 21:49:07 -0800 (PST)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 9CA4F318074 for <ipsec@ietf.org>; Tue, 3 Jan 2012 21:49:06 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=x8PPecIaUMoZ9bqrRiTHW Ry5zTAPB/9l5g6chA6wMGqe6ZIL5xXmiUVO9/QlF5UkeUtJc6z2+ogOYl0APzpjY meeIIn94IFXhTV78DItK1CSgyqrNHdow2lnWlTFL8FXyk+Ldj37cWB7D0B8kIPSX B7jJsVUHkTLuz09hQVF190=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=Cnj5GPQDlR0LI8P4BncQ sK+tSpM=; b=h5IqljxfQxSOvRQtdA7O+DTNuJTqT9z/zcspGevCqPPW6StUQDJR BZuAHXLpP5xS2HzGyFN1Sb6uvzUveJnqWejdstAwc4DoWmcr2ct4dvbvccUwyY9G t1yMcLw0FUweWcdaOgJmnXSlDKFbY3RsPS+Z5n5VWKNXGY0kIgVGaiY=
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPSA id 82998318072 for <ipsec@ietf.org>; Tue, 3 Jan 2012 21:49:06 -0800 (PST)
Received: by dajz8 with SMTP id z8so16067891daj.31 for <ipsec@ietf.org>; Tue, 03 Jan 2012 21:49:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.73.234 with SMTP id o10mr139589121pbv.90.1325656146131; Tue, 03 Jan 2012 21:49:06 -0800 (PST)
Received: by 10.68.10.234 with HTTP; Tue, 3 Jan 2012 21:49:06 -0800 (PST)
In-Reply-To: <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com> <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com> <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com>
Date: Tue, 03 Jan 2012 23:49:06 -0600
Message-ID: <CAK3OfOg0Gsxxf8T66XNVLHtR1Tk9yHFDGw96tr0UkEh6x5uYpQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Jack Kohn <kohn.jack@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: IPsec ME WG List <ipsec@ietf.org>, RJ Atkinson <rja.lists@gmail.com>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 05:49:07 -0000

On Tue, Jan 3, 2012 at 9:02 PM, Jack Kohn <kohn.jack@gmail.com> wrote:
>> Unfortunately, the IETF has long-standing challenges with
>> getting users/operators, especially enterprise/academic/
>> government users, to participate in its WGs.
>
> The problem is not this.
>
> The problem is that a few loud people (in some occasions, just one)
> can filibuster good ideas over long held antiquated views on how
> technology is (or should be) used. In a few cases, its got little to
> do with the technology really ..

Advising (and updating said advice as circumstances change) use-IPsec
protocol designers as to when to use ESP and/or AH is something we
should do.  Deprecating AH seems like a nice idea, but if there's good
reasons to still use it, then maybe not.

In 2012 the use of manually keyed unicast SAs with group shared keys
is not exactly impressive (because not scalable).  We could reach
consensus to ignore such usage of IPsec.  Or not -- hardly a big deal
if not, eh?

Nico
--

v2.23.0 | Report a Bug | By Email