Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt

Tero Kivinen <kivinen@iki.fi> Fri, 04 April 2014 09:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B831A011A for <ipsec@ietfa.amsl.com>; Fri, 4 Apr 2014 02:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcZngtbmfeL0 for <ipsec@ietfa.amsl.com>; Fri, 4 Apr 2014 02:18:08 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id BBD9C1A001D for <ipsec@ietf.org>; Fri, 4 Apr 2014 02:18:07 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s349HxuI013102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 4 Apr 2014 12:17:59 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s349Hw2M003742; Fri, 4 Apr 2014 12:17:58 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21310.30918.867602.256237@fireball.kivinen.iki.fi>
Date: Fri, 4 Apr 2014 12:17:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <D11E3740-F7CA-48A9-8183-E10C824F7D54@gmail.com>
References: <5FB505F6-3CC8-4685-851D-09BB05813542@gmail.com> <7AD00C63-C36C-47F0-9D41-916847F018A2@vpnc.org> <3760F0D0-F93A-4AFB-BBD4-772AA717F2B6@gmail.com> <0B1B3C1C-1EC6-4B22-98FA-E05E3506D3E3@vpnc.org> <D11E3740-F7CA-48A9-8183-E10C824F7D54@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 37 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/yYBX0Nr9OWAGgSKuN453n9Q8eN4
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-esp-ah-reqts-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 09:18:12 -0000

RJ Atkinson writes:
> > If that's what the WG wants, great. In me reading the
> > list as a document author, I don't see people agreeing with that.
> 
> If this I-D is NOT addressing all IPsec use cases, then why isn't
> this I-D titled the "IPsec VPN Requirements" document ?

I think you are wrong there. VPN uses cases do not use ESP NULL (nor
does it use AH). In all VPN cases the encryption is the important part
there. I do not really see anybody running VPN tunnels in the internet
using ESP NULL (or AH).

As Paul said if this would be VPN specific then it would not say
anything about AH or ESP NULL.

> >   The IPsec community generally prefers ESP with NULL encryption over AH.
> >   AH is still required in some protocols and operational environments when
> >   there are security-sensitive options in the IP header, such as source
> >   routing headers; ESP inherently cannot those IP options.
> 
> I assume you meant to write:  s/cannot those/cannot protect those/

ESP in tunnel mode can protect end to end options without any
problems, and also protects the whole inner IP header. ESP cannot
protect options which are used by the intermediate devices, but on the
other those intermediate devices do not have the keying material to
verify the authentication header anyways so whether AH or ESP NULL is
used it does not matter.

And if the intermediate devices do have the keying material then they
can even parse through ESP NULL too as they do know the parameters.

The main problem with the AH is that it does not work with NATs which
makes its use in lots of environments difficult in the internet. It
does work in the enterprice or other controlled environments.

> >> It also should mention IP sensitivity label options, such as RFC-1108 
> >> and RFC-5570 as a use case for AH, in addition to source-routing headers.
> > 
> > Having this document listing all of the IP options from Informational RFCs
> > would undermine the value of this document.
> 
>   Adding s/source routing headers;/source routing headers or sensitivity
> label options;/  plus adding those 2 RFC citations to your "proposed 
> improvement" text above could not possibly "undermine the value of this 
> document", particularly since both RFCs are examples of currently
> deployed use cases.

As those options cannot be protected in transit with AH or ESP NULL
without sharing the keying material to the intermediate devices, I see
no point of listing those. 

>   Please re-consider applying the brief text edits I've provided just above 
> and the corresponding citations to those 2 RFCs.

I see no point of adding those citations, nor adding those examples.
-- 
kivinen@iki.fi