Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt

RJ Atkinson <> Wed, 02 April 2014 20:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EF9A01A03D6 for <>; Wed, 2 Apr 2014 13:35:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1rZH42-MirEE for <>; Wed, 2 Apr 2014 13:34:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c00::231]) by (Postfix) with ESMTP id 9BB8E1A03D2 for <>; Wed, 2 Apr 2014 13:34:56 -0700 (PDT)
Received: by with SMTP id j7so706660qaq.8 for <>; Wed, 02 Apr 2014 13:34:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=5crLsyBBOkuYrP3L6B0mvIsgSb04FTUPYSh6uB0lHaE=; b=WTJtn9BBlKp9Gga26IqlE04yHkOgFu7z/Q20+DXML/DtAz1gAv32wiSF6dW7wWM6Kk l/TR5h668zo6gmieMpwElZzjOLOW2dHXUz1t1q+AlRCy7uvCp1ZYQx298htPfXBT1QvS YDztw07xJCcMhaYQTkkzwfFIE8hEhRv1xKplkJxzFt5EFAve1itFqdXLRurL/CMO8mV/ ThxLDq5SVqHDSk45T8kTy6TF4KlpkRfS2TRxjMAcT4CX85Twk4vNcSVcoDD20dYnrfZx XaYgGQha438ZDkkdfOivvA88r+DLhmO/SGme90F/KZaVrSDysyCh8pbcgFX4fG+d9xz3 wYmA==
X-Received: by with SMTP id bp1mr3172609qcb.11.1396470892562; Wed, 02 Apr 2014 13:34:52 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id x8sm5814082qam.20.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 13:34:52 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1283)
From: RJ Atkinson <>
In-Reply-To: <>
Date: Wed, 2 Apr 2014 16:34:52 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <> <>
To: IPsec ME WG List <>
X-Mailer: Apple Mail (2.1283)
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 20:35:02 -0000

On 02  Apr 2014, at 16:17 , Paul Hoffman wrote:
> Actually, yes. Looking in the archives,
> I see you stating it in a few different threads.

Again, that's not what I said, but instead 
what you have mis-read.

>> A general IPsec Requirements document ought to be addressing
>> all deployed use cases, and ought not be limited to VPN uses.
> If that's what the WG wants, great. In me reading the
> list as a document author, I don't see people agreeing with that.

If this I-D is NOT addressing all IPsec use cases, then why isn't
this I-D titled the "IPsec VPN Requirements" document ?

> Good catch. Proposed improvement:
>   The IPsec community generally prefers ESP with NULL encryption over AH.
>   AH is still required in some protocols and operational environments when
>   there are security-sensitive options in the IP header, such as source
>   routing headers; ESP inherently cannot those IP options.

I assume you meant to write:  s/cannot those/cannot protect those/

If I understand the intended text, that is an important and very helpful 
improvement, and I very much appreciate it being added.

>> It also should mention IP sensitivity label options, such as RFC-1108 
>> and RFC-5570 as a use case for AH, in addition to source-routing headers.
> Having this document listing all of the IP options from Informational RFCs
> would undermine the value of this document.

  Adding s/source routing headers;/source routing headers or sensitivity
label options;/  plus adding those 2 RFC citations to your "proposed 
improvement" text above could not possibly "undermine the value of this 
document", particularly since both RFCs are examples of currently
deployed use cases.

  Please re-consider applying the brief text edits I've provided just above 
and the corresponding citations to those 2 RFCs.