IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

RJ Atkinson <rja.lists@gmail.com> Tue, 03 January 2012 01:22 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4BF21F8518 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 17:22:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMQaRgF4zQQN for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 17:22:04 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id AC29C21F849E for <ipsec@ietf.org>; Mon, 2 Jan 2012 17:22:04 -0800 (PST)
Received: by qadz3 with SMTP id z3so10380223qad.10 for <ipsec@ietf.org>; Mon, 02 Jan 2012 17:22:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=6UrKhu/8XA5PB/JxMLUAtYvxVCg/amdEs4OzKHJ+dZE=; b=Z9na2yGXTmGNiVJLktiPIggx7XAwHgOBJQKgsay+Pwdwy30Ivuk2vsUi7fCIxNWh6W nmGTqB2WOvkunSQkvEmXsYjrLttXTgawxHK+S04eG4/7ubvXSmYQDn6o9y+Ujn4n84XK t3ZHlONcU+YWjuK9z+2njO6MzLpmMHHtsUelU=
Received: by 10.224.183.65 with SMTP id cf1mr59121825qab.55.1325553724243; Mon, 02 Jan 2012 17:22:04 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id el7sm96492525qab.16.2012.01.02.17.22.02 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Jan 2012 17:22:03 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Mon, 02 Jan 2012 20:22:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <23AFA108-5B72-4CB0-8498-6CC27FC79F96@gmail.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB484@INBANSXCHMBSA1.in.alcatel-lucent.com>
To: IPsec ME WG List <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 01:22:05 -0000

On 02  Jan 2012, at 19:51 , Bhatia, Manav (Manav) wrote:
> It doesn't need to because nobody uses it.

I know of multiple sites who have it deployed today.

> The reason the above draft exists is because there were
> many people (at least service providers) who said that
> they did NOT want to use IPsec for OSPFv3.

More precisely, a few service providers and a few vendors 
said this.  Major vendors had already shipped the capability,
and numerous users had deployed it.  

Unfortunately, the IETF has long-standing challenges with 
getting users/operators, especially enterprise/academic/
government users, to participate in its WGs.

Service providers are overwhelmingly using IS-IS for IPv6, 
not OSPFv3, in any event.

> I am sure you have customers who love using IPsec for OSPFv3,
> but there is a larger percentage that doesn't.

One of my clients operates a multi-continent IP network.
I also have non-ISP clients.  You acknowledge that you 
have no contact with the IPsec for OSPFv3 users.
So, by your own admission, I have more data than you do.

We disagree on the percentages.

> Routing Header is a security nightmare.
> You were probably not aware that it has been recently deprecated by the IETF.
> 
> http://tools.ietf.org/html/rfc5095

Actually, the IPv6 Routing Header itself is not deprecated.
Only the RH Type 0 was deprecated by RFC-5095.

IANA.org reports the Type 2 and Type 3 IPv6 Routing 
Headers remain valid and are not deprecated (Type 3 
is work in progress, but allocated already).

> From the draft-bhatia-ipsecme-avoiding-ah-00:
> 
>   Hop-by-Hop options are not an issue, as the intermediate
>   hops do not have keys to verify the message authentication
>   code so they cannot really be protected anyways.

That claim isn't true either.  

Please consider deployments where the intermediate hops 
DO have those keys, obtained for example from a KDC.  
The IETF has standardised Kerberos, for example, so
a standards-based solution exists in this area.

Separately, RFC-4359 specifies how one can use 
RSA/SHA-1 signatures within AH.  So it is entirely
possible to give a middle box a verification key --
without also giving the middle box a signing key
for the traffic being protected.

I'm not going to write the I-D for you, nor am I going
to waste my time enumerating every single problem
with the draft.  There are too many technical flaws
and it would take too long.  I can't improve upon 
Dan Harkins' explanation of why trying to fix the 
I-D is a waste of time and energy.

Yours,

Ran

v2.23.0 | Report a Bug | By Email