IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

RJ Atkinson <rja.lists@gmail.com> Mon, 02 January 2012 21:58 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C44C11E80AD for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 13:58:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80WNtEWH18pM for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 13:58:06 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 992F211E8083 for <ipsec@ietf.org>; Mon, 2 Jan 2012 13:58:04 -0800 (PST)
Received: by qadb15 with SMTP id b15so9269272qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 13:58:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=DefwebdYN8RWwhyIlsYTFUv30mxOzqspW54UQy21k9g=; b=f1OMQaUyn5fp3VTSFjRq/QGDDRQhbHeYsoGarLeImkxTFPo/2/UPj/Lu97ErPemdhe nd9GBL9bJxAZU4X4QUXiedV/Ngo/+ZCHxqbyDvvVOqNiJ88CdzNIkSLEFeHxn9X6iYOf hU+o89sRfwr2grQAz7Ma2K23QAXmCxstXZbXE=
Received: by 10.224.203.67 with SMTP id fh3mr56994273qab.13.1325541483171; Mon, 02 Jan 2012 13:58:03 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id ev2sm47376344qab.15.2012.01.02.13.58.02 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 13:58:02 -0800 (PST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <CAA1nO72z3yuOYkwkHCDphmOsVrFtrgq-0xWviY7XRC2vMS9kFg@mail.gmail.com>
Date: Mon, 02 Jan 2012 16:58:01 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <639319E3-7725-4F23-9F78-46BB49FCF172@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <CAA1nO72z3yuOYkwkHCDphmOsVrFtrgq-0xWviY7XRC2vMS9kFg@mail.gmail.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2012 21:58:07 -0000

On 02  Jan 2012, at 14:15 , Jack Kohn wrote:
> In case of IPv4, which field in the IP header
> are you most interested in protecting?

An IPv4 example would be validating the [FIPS-188]
IPv4 option, which can't be protected any other way.  

That option is supported by a range of operating systems,
both commercial and open-source.  I'm told by a
a major computer vendor that Linux supports this 
for both IPv4 and IPv6.  The option reportedly 
is deployed in environments ranging from certain 
large financial institutions to governments.
Some devices that perform IP routing also perform
security checks that ensure the label on a given
packet is in range for the output interface;
end systems also separately need to trust
the label integrity.

Similar IPv6 examples exist.

Yours,

Ran

v2.23.0 | Report a Bug | By Email