IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Markku Savela <msa@moth.iki.fi> Thu, 05 January 2012 14:26 UTC

Return-Path: <msa@moth.iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E31921F87F1 for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:26:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aB4OiEolzUGU for <ipsec@ietfa.amsl.com>; Thu, 5 Jan 2012 06:26:04 -0800 (PST)
Received: from moth.iki.fi (moth.iki.fi [212.16.111.74]) by ietfa.amsl.com (Postfix) with ESMTP id 9A08021F87CA for <ipsec@ietf.org>; Thu, 5 Jan 2012 06:26:04 -0800 (PST)
Received: from [130.188.197.233] (unknown [130.188.197.233]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: msa) by moth.iki.fi (Postfix) with ESMTPSA id E43A81E581D for <ipsec@ietf.org>; Thu, 5 Jan 2012 16:26:09 +0200 (EET)
Message-ID: <4F05B2FB.2070007@moth.iki.fi>
Date: Thu, 05 Jan 2012 16:26:03 +0200
From: Markku Savela <msa@moth.iki.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Lightning/1.0b2 Thunderbird/3.1.16
MIME-Version: 1.0
To: ipsec@ietf.org
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com> <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com> <CAA1nO734gfXYJLeLU9iYxoArPZJ3Xo3MsXy0Rt9zgoTciBCZbQ@mail.gmail.com> <CAK3OfOg0Gsxxf8T66XNVLHtR1Tk9yHFDGw96tr0UkEh6x5uYpQ@mail.gmail.com> <48CB2A9F-D59C-462F-8C7A-82127A217703@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D028A2AE4@INBANSXCHMBSA1.in.alcatel-lucent.com> <20229.44292.629825.7429@fireball.kivinen.iki.fi>
In-Reply-To: <20229.44292.629825.7429@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 14:26:05 -0000

I don't understand why this discussion is needed.

AH is end-to-end, and the transformations to be used
for the connection are negotiated with key negotiation
and configured policies.

If end points don't want to use AH for whatever
reason (like not implemented), they are not asking it.

If end points decide to us it, they have it implemented,
it is their business and it should be irrelevant for any
intermediate node (for deep onboxious packet inspection,
skipping AH is trivial matter).

v2.23.0 | Report a Bug | By Email