Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

Stephen Kent <kent@bbn.com> Wed, 26 February 2014 15:24 UTC

Return-Path: <kent@bbn.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9E21A028A for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 07:24:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.748
X-Spam-Level:
X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYazMNIKPZHt for <ipsec@ietfa.amsl.com>; Wed, 26 Feb 2014 07:24:54 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id F3C731A0645 for <ipsec@ietf.org>; Wed, 26 Feb 2014 07:24:50 -0800 (PST)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:53871) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WIgLp-000MCq-9n; Wed, 26 Feb 2014 10:24:49 -0500
Message-ID: <530E0741.4040800@bbn.com>
Date: Wed, 26 Feb 2014 10:24:49 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Paul Wouters <paul@cypherpunks.ca>, ipsec <ipsec@ietf.org>
References: <530CE583.6030801@gmail.com> <C1A9B4B9-FABA-4EAB-B325-88DCB3F3D9CB@gmail.com> <alpine.LFD.2.10.1402251615220.21879@bofh.nohats.ca> <7722BB5C-67E3-4A26-B767-D31FA122ABFB@vpnc.org> <C304982FF00F49BCB9A581CF122595FC@buildpc> <alpine.LFD.2.10.1402260806260.3528@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1402260806260.3528@bofh.nohats.ca>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/dmET_S4X56gktAju-LUY0kzsirw
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 15:24:57 -0000

Paul,
> On Wed, 26 Feb 2014, Valery Smyslov wrote:
>
>>> It is for systems that don't implement AH. We should probably say 
>>> this explicitly in section 3.
>>
>> I don't think it is limited for those systems only.
>> You may implement AH, but yon cannot use it
>> everywhere, as it is not compatible with NATs.
>> And ESP-NULL with Auth is the only substitute there.
>> So, it must be MUST for any system.
>
> Why did we not kill AH all together when Schneier and Ferguson told us 
> so? :P
> But you are right. Perhaps some text along the line of:
perhaps because they were wrong.

ESP-NULL offers better performance than AH and so it is desirable in
most cases. But, AH has been specified by some protocols and we don't
want to undermine their choice by killing it.

Steve