Re: [IPsec] Avoiding Authentication Header (AH)
RJ Atkinson <rja.lists@gmail.com> Tue, 03 January 2012 01:22 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4BF21F8518 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 17:22:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMQaRgF4zQQN for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 17:22:04 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id AC29C21F849E for <ipsec@ietf.org>; Mon, 2 Jan 2012 17:22:04 -0800 (PST)
Received: by qadz3 with SMTP id z3so10380223qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 17:22:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=6UrKhu/8XA5PB/JxMLUAtYvxVCg/amdEs4OzKHJ+dZE=; b=Z9na2yGXTmGNiVJLktiPIggx7XAwHgOBJQKgsay+Pwdwy30Ivuk2vsUi7fCIxNWh6W nmGTqB2WOvkunSQkvEmXsYjrLttXTgawxHK+S04eG4/7ubvXSmYQDn6o9y+Ujn4n84XK t3ZHlONcU+YWjuK9z+2njO6MzLpmMHHtsUelU=
Received: by 10.224.183.65 with SMTP id cf1mr59121825qab.55.1325553724243; Mon, 02 Jan 2012 17:22:04 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id el7sm96492525qab.16.2012.01.02.17.22.02 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 17:22:03 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Mon, 02 Jan 2012 20:22:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 01:22:05 -0000
On 02 Jan 2012, at 19:51 , Bhatia, Manav (Manav) wrote: > It doesn't need to because nobody uses it. I know of multiple sites who have it deployed today. > The reason the above draft exists is because there were > many people (at least service providers) who said that > they did NOT want to use IPsec for OSPFv3. More precisely, a few service providers and a few vendors said this. Major vendors had already shipped the capability, and numerous users had deployed it. Unfortunately, the IETF has long-standing challenges with getting users/operators, especially enterprise/academic/ government users, to participate in its WGs. Service providers are overwhelmingly using IS-IS for IPv6, not OSPFv3, in any event. > I am sure you have customers who love using IPsec for OSPFv3, > but there is a larger percentage that doesn't. One of my clients operates a multi-continent IP network. I also have non-ISP clients. You acknowledge that you have no contact with the IPsec for OSPFv3 users. So, by your own admission, I have more data than you do. We disagree on the percentages. > Routing Header is a security nightmare. > You were probably not aware that it has been recently deprecated by the IETF. > > http://tools.ietf.org/html/rfc5095 Actually, the IPv6 Routing Header itself is not deprecated. Only the RH Type 0 was deprecated by RFC-5095. IANA.org reports the Type 2 and Type 3 IPv6 Routing Headers remain valid and are not deprecated (Type 3 is work in progress, but allocated already). > From the draft-bhatia-ipsecme-avoiding-ah-00: > > Hop-by-Hop options are not an issue, as the intermediate > hops do not have keys to verify the message authentication > code so they cannot really be protected anyways. That claim isn't true either. Please consider deployments where the intermediate hops DO have those keys, obtained for example from a KDC. The IETF has standardised Kerberos, for example, so a standards-based solution exists in this area. Separately, RFC-4359 specifies how one can use RSA/SHA-1 signatures within AH. So it is entirely possible to give a middle box a verification key -- without also giving the middle box a signing key for the traffic being protected. I'm not going to write the I-D for you, nor am I going to waste my time enumerating every single problem with the draft. There are too many technical flaws and it would take too long. I can't improve upon Dan Harkins' explanation of why trying to fix the I-D is a waste of time and energy. Yours, Ran
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Venkatesh Sriram
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- Re: [IPsec] Avoiding Authentication Header (AH) Michael Richardson
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) RJ Atkinson
- [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] WESP and reliability RJ Atkinson
- Re: [IPsec] WESP and reliability Paul Hoffman
- Re: [IPsec] Avoiding Authentication Header (AH) Dan Harkins
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Nico Williams
- Re: [IPsec] WESP and reliability Bhatia, Manav (Manav)
- Re: [IPsec] WESP and reliability Jack Kohn
- Re: [IPsec] Avoiding Authentication Header (AH) Sean Turner
- Re: [IPsec] WESP and reliability Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Yaron Sheffer
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Markku Savela
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Tero Kivinen
- Re: [IPsec] Avoiding Authentication Header (AH) Yoav Nir
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Bhatia, Manav (Manav)
- Re: [IPsec] Avoiding Authentication Header (AH) Panos Kampanakis