IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Nico Williams <nico@cryptonector.com> Tue, 03 January 2012 00:28 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D0B21F84C0 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:28:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4s8xWM1dh8P for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:28:45 -0800 (PST)
Received: from homiemail-a24.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB3021F8486 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:28:45 -0800 (PST)
Received: from homiemail-a24.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTP id 62B782C8058 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:28:43 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=NVOJHAesFdWdGBYxu7V5q/QEKQL/C2ESUeKNOBcue+7h qupaLQy7KYeFcmvu7NYpAKGPqnJyleKGAvXrvjujPqmNeDqhvtpQf2ZrMHWtmwu9 gNrtkpWqQdcpIfNsEQOEMSan7S69lW9UACFznmNgp8tyn4nflJYwCz1tkjyRJ3Q=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=fWT0fVzdAARdeZzb+MFu/SW/JqU=; b=TB+Mp1MaRbD JY5oSK/b1fmTdFHqmHnxxJ/k99P+A3tYqjZuf7nb57kt7OEkToKWrvdLSxyvVSGw j5Zu8deW/VQfvbWaKZwgi1lkQ5DkJfXJhCHLjPGjSa98bvKayhd7J/FgyeLN9MTe s9EkOhEx95qrpM8Q31sgoS7dbG40eKP4=
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTPSA id 40B6C2C8057 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:28:43 -0800 (PST)
Received: by dajz8 with SMTP id z8so15191979daj.31 for <ipsec@ietf.org>; Mon, 02 Jan 2012 16:28:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.73.234 with SMTP id o10mr127394022pbv.90.1325550522569; Mon, 02 Jan 2012 16:28:42 -0800 (PST)
Received: by 10.68.10.234 with HTTP; Mon, 2 Jan 2012 16:28:42 -0800 (PST)
In-Reply-To: <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com>
Date: Mon, 02 Jan 2012 18:28:42 -0600
Message-ID: <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:28:46 -0000

On Mon, Jan 2, 2012 at 3:11 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
> I gave a list earlier of a number of different scenarios where
> and reasons why AH is used.  A subset of that list:
>        - ESP null does not protect options/optional headers.

ESP in tunnel mode is supposed to be the replacement for AH, and gets you this.

>        - ESP null cannot reliably be parsed past.

WESP is supposed to provide this.

Would tunnel mode be too expensive for new protocols that need
integrity protection of outer headers?

In any case, if there's no way to remove AH support from existing
implementations any time soon, then there's not much benefit to moving
AH to Historic either.  And it's clear that the controversy that has
arisen will take a fair bit of energy to resolve.  It may be best to
simply publish an Informational RFC providing advice on what new
protocols that say "use IPsec" should do.

Nico
--

v2.23.0 | Report a Bug | By Email