IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Thu, 05 January 2012 09:43 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F8E21F87CA for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 01:43:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.578
X-Spam-Level:
X-Spam-Status: No, score=-6.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MY5R68LMCRKJ for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 01:43:19 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 68C5121F85F4 for <ipsec@ietf.org>; Thu, 5 Jan 2012 01:43:19 -0800 (PST)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q059hElD013186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Jan 2012 03:43:16 -0600 (CST)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q059hCtX019001 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 5 Jan 2012 15:13:13 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Thu, 5 Jan 2012 15:13:13 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Sean Turner <turners@ieca.com>
Date: Thu, 05 Jan 2012 15:13:08 +0530
Thread-Topic: [IPsec] Avoiding Authentication Header (AH)
Thread-Index: AczLWn0YgGvNm6yrS4m8g5Msbkt0kQAMUbUg
Message-ID: <7C362EEF9C7896468B36C9B79200D8350D028A2C92@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350D028A2953@INBANSXCHMBSA1.in.alcatel-lucent.com> <6442.1325686562@marajade.sandelman.ca> <7C362EEF9C7896468B36C9B79200D8350D028A2AE5@INBANSXCHMBSA1.in.alcatel-lucent.com> <4F05197A.9090505@ieca.com>
In-Reply-To: <4F05197A.9090505@ieca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 09:43:20 -0000

Hi Sean,

All I am saying is this:

There are many implementations that don't support AH as 4301 has a MAY support clause for AH.

Many people don't understand this. You could argue that its trivial and they should know this, but this aint an ideal world and people don't realize this.

Even within IETF there could be WGs looking at using or extending AH.

Given that ESP does everything useful that AH does, it makes no sense to continue using AH. I think we should have a draft that says this. However, there are some very corner cases where it *may* make sense to use AH (though I am still a little unconvinced, but I'll concede for the sake of moving on) and people are most welcome to do that.

If a WG ends up mandating AH (when ESP could have been used) then Yes it's a problem for everyone, right from the vendors to the users, who have to now support AH too in their products and networks.

And btw, what we're attempting here is not new in IETF. If you look at a very recent RFC 6472 which was published as a BCP then that's also very similar to what we're trying to do in the IPsec world. Folks had been using AS_SETs in BGP since a long time and its wasn't breaking down the networks. The BCP was published (to quote from the RFC) to:

   to simplify the design and implementation of BGP and to make the
   semantics of the originator of a route more clear.  This will also
   simplify the design, implementation, and deployment of ongoing work
   in the Secure Inter-Domain Routing Working Group.

Similar to the above RFC I think the draft in question does simplify a few things. There is work happening in KARP (that I know you're well aware of) where one of the requirements is to come out with a security mechanism that does NOT preclude the possibility of adding encryption services later. AH can never meet this requirement, so its practically out of the door. When we have so many documents hinting towards that (including the ones from NIST), then why are we being shy about admitting this openly.

I agree with Yaron that there is value in some document that recommends not using AH when ESP-NULL can be employed, and also that points out where AH does make sense.

Cheers, Manav 

-----Original Message-----
From: Sean Turner [mailto:turners@ieca.com] 
Sent: Thursday, January 05, 2012 9:01 AM
To: Bhatia, Manav (Manav)
Cc: mcr@sandelman.ca; ipsec@ietf.org; Nico Williams
Subject: Re: [IPsec] Avoiding Authentication Header (AH)

Manav,

I'm trying to figure out whose implementation this situation will create a problem for?  If the new application or protocol ends up doing one of the 3 things you listed (http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html), then is the problem that those who haven't implemented AH now have to?

Are there any new applications or protocols that are mandating the use of AH?

Currently, I'm unconcerned about somebody sneaking a new protocol that mandates AH past the IETF because of this group.  This group certainly isn't made up of shrinking violets ;)

spt

On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
> Hi Marc,
>
> We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.
>
> This creates a problem for implementations if in future a new application or a protocol mandates the use of AH.
>
> I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.
>
> Cheers, Manav
>
> -----Original Message-----
> From: mcr@sandelman.ca [mailto:mcr@sandelman.ca]
> Sent: Wednesday, January 04, 2012 7:46 PM
> To: Bhatia, Manav (Manav)
> Cc: Nico Williams; ipsec@ietf.org
> Subject: Re: [IPsec] Avoiding Authentication Header (AH)
>
>
>>>>>> "Manav" == Manav Bhatia<Bhatia>  writes:
>      Manav>  Hi Nico,
>
>      >>  Advising (and updating said advice as circumstances change)
>      >>  use-IPsec protocol designers as to when to use ESP and/or AH is
>      >>  something we should do.  Deprecating AH seems like a nice idea,
>      >>  but if there's good reasons to still use it, then maybe not.
>
>      Manav>  We're not talking about deprecating or killing AH. I concede
>      Manav>  that I did allude to it in my first draft, but then changed
>      Manav>  the tone based on the WG feedback, to say that we should
>      Manav>  "avoid" AH wherever possible.
>
> This is the status quo already.
> Why do we need this draft?
>

v2.23.0 | Report a Bug | By Email