IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Yoav Nir <ynir@checkpoint.com> Thu, 05 January 2012 15:47 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 207AC21F8679 for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 07:47:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.415
X-Spam-Level:
X-Spam-Status: No, score=-10.415 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZsVTAqjDV1n for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 07:47:43 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 39F4021F8759 for <ipsec@ietf.org>; Thu, 5 Jan 2012 07:47:42 -0800 (PST)
X-CheckPoint: {4F05C3D7-4-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q05FlRRG025621; Thu, 5 Jan 2012 17:47:30 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 5 Jan 2012 17:47:27 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Date: Thu, 05 Jan 2012 17:47:30 +0200
Thread-Topic: [IPsec] Avoiding Authentication Header (AH)
Thread-Index: AczLwVN04G0kKlviQciXtNQtpM/mAw==
Message-ID: <6B16D76E-A432-497D-A9A2-DF3465449247@checkpoint.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com> <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com> <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com> <CAK3OfOg0Gsxxf8T66XNVLHtR1Tk9yHFDGw96tr0UkEh6x5uYpQ@mail.gmail.com> <48CB2A9F-D59C-462F-8C7A-82127A217703@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D028A2AE4@INBANSXCHMBSA1.in.alcatel-lucent.com> <20229.44292.629825.7429@fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8350D028A2D56@INBANSXCHMBSA1.in.alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D028A2D56@INBANSXCHMBSA1.in.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsec ME WG List <ipsec@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 15:47:44 -0000

On Jan 5, 2012, at 4:37 PM, Bhatia, Manav (Manav) wrote:

> 
>> Getting WESP implemented to the boxes will require a lot of time.
>> There are still lots of boxes which do not even support IKEv2 (which is required for 
>> WESP) and IKEv2 has been out for 6 years already. AH might already be 
> 
> WESP can be used with manual keying the way routing protocols today use ESP and AH.

Hi Manav.

I guess it can, but ESP (and AH and presumably WESP) would be implemented at a lower layer than IKE. For some boxes that would be ESP implemented in silicon and IKE implemented in software.

So getting your own box to start doing IKEv2 is relatively straightforward - a software fix (even if it's referred to as "firmware"), while WESP would require a new box. Even in software implementations the IPsec is usually considered more "stable" than the IKE code.

The big vendors have taken years to implement IKEv2 in regular boxes (as opposed to lab curiosities). I don't see them rushing to implement WESP just to please the middlebox makers.

Yoav

v2.23.0 | Report a Bug | By Email