IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 05 January 2012 07:22 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C46121F8627 for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 23:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.554
X-Spam-Level:
X-Spam-Status: No, score=-103.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50sDr26utQFS for <ipsec@ietfa.amsl.com>; Wed, 4 Jan 2012 23:22:47 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 79D2C21F8626 for <ipsec@ietf.org>; Wed, 4 Jan 2012 23:22:47 -0800 (PST)
Received: by eekc14 with SMTP id c14so147546eek.31 for <ipsec@ietf.org>; Wed, 04 Jan 2012 23:22:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=f80AZGHjyWxns+reLR5OK57/kravqdthX4IJ5IOO378=; b=lm7LFSxuBNa7aK5tlDq1SUt1zSrvFTPlIZG6Vp4g7XVvZewTtmdyLbjlfg88El4DXo gC4FIyapsqUCGWYdBEkiI5oCk5Rj6vKVu9k+4z92GoUJ7eUNF753eW9mabsZYhRRCYz3 duCvaJyT4uf9JZll5vW/uJjs5vs1A0tHz71lg=
Received: by 10.14.98.196 with SMTP id v44mr277816eef.53.1325748166471; Wed, 04 Jan 2012 23:22:46 -0800 (PST)
Received: from [10.0.0.6] ([109.67.155.85]) by mx.google.com with ESMTPS id t1sm230211313eeb.3.2012.01.04.23.22.44 (version=SSLv3 cipher=OTHER); Wed, 04 Jan 2012 23:22:45 -0800 (PST)
Message-ID: <4F054FC3.4040400@gmail.com>
Date: Thu, 05 Jan 2012 09:22:43 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Sean Turner <turners@ieca.com>
References: <7C362EEF9C7896468B36C9B79200D8350D028A2953@INBANSXCHMBSA1.in.alcatel-lucent.com> <6442.1325686562@marajade.sandelman.ca> <7C362EEF9C7896468B36C9B79200D8350D028A2AE5@INBANSXCHMBSA1.in.alcatel-lucent.com> <4F05197A.9090505@ieca.com>
In-Reply-To: <4F05197A.9090505@ieca.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Nico Williams <nico@cryptonector.com>, "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, "mcr@sandelman.ca" <mcr@sandelman.ca>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 07:22:48 -0000

Hi Sean,

first, thanks for the collective compliment. But in fact I have seen two 
recent cases where IPsec/IKE-related work did manage to sneak past this 
workgroup until quite late in the process ( 
http://tools.ietf.org/html/draft-ietf-hokey-rfc5296bis-06, 
http://tools.ietf.org/html/draft-ietf-dime-ikev2-psk-diameter-11). It 
may be a matter of lack of communication or lack of energy, but these 
things do happen. So I do see value in a draft that explicitly 
recommends not using AH in general, and points out where AH does make sense.

Thanks,
Yaron

On 01/05/2012 05:31 AM, Sean Turner wrote:
> Manav,
>
> I'm trying to figure out whose implementation this situation will 
> create a problem for? If the new application or protocol ends up doing 
> one of the 3 things you listed 
> (http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html), 
> then is the problem that those who haven't implemented AH now have to?
>
> Are there any new applications or protocols that are mandating the use 
> of AH?
>
> Currently, I'm unconcerned about somebody sneaking a new protocol that 
> mandates AH past the IETF because of this group. This group certainly 
> isn't made up of shrinking violets ;)
>
> spt
>
> On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
>> Hi Marc,
>>
>> We don't say that. 4301 says that implementations MAY support AH and 
>> MUST support ESP.
>>
>> This creates a problem for implementations if in future a new 
>> application or a protocol mandates the use of AH.
>>
>> I will even go a step further and say that newer protocols should 
>> just assume ESP-NULL and not even bother with AH if they can do with 
>> just ESP.
>>
>> Cheers, Manav
>>
>> -----Original Message-----
>> From: mcr@sandelman.ca [mailto:mcr@sandelman.ca]
>> Sent: Wednesday, January 04, 2012 7:46 PM
>> To: Bhatia, Manav (Manav)
>> Cc: Nico Williams; ipsec@ietf.org
>> Subject: Re: [IPsec] Avoiding Authentication Header (AH)
>>
>>
>>>>>>> "Manav" == Manav Bhatia<Bhatia> writes:
>> Manav> Hi Nico,
>>
>> >> Advising (and updating said advice as circumstances change)
>> >> use-IPsec protocol designers as to when to use ESP and/or AH is
>> >> something we should do. Deprecating AH seems like a nice idea,
>> >> but if there's good reasons to still use it, then maybe not.
>>
>> Manav> We're not talking about deprecating or killing AH. I concede
>> Manav> that I did allude to it in my first draft, but then changed
>> Manav> the tone based on the WG feedback, to say that we should
>> Manav> "avoid" AH wherever possible.
>>
>> This is the status quo already.
>> Why do we need this draft?
>>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email