IETF Logo Mail Archive

Re: [IPsec] Avoiding Authentication Header (AH)

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Tue, 03 January 2012 00:36 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8730321F8519 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.569
X-Spam-Level:
X-Spam-Status: No, score=-6.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OghkzTyw9V71 for <ipsec@ietfa.amsl.com>; Mon, 2 Jan 2012 16:36:11 -0800 (PST)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id AB6ED21F8516 for <ipsec@ietf.org>; Mon, 2 Jan 2012 16:36:11 -0800 (PST)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q030a4cH027141 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Jan 2012 18:36:07 -0600 (CST)
Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q030a3eA010443 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 3 Jan 2012 06:06:03 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Tue, 3 Jan 2012 06:06:02 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Nico Williams <nico@cryptonector.com>, RJ Atkinson <rja.lists@gmail.com>
Date: Tue, 03 Jan 2012 06:06:05 +0530
Thread-Topic: [IPsec] Avoiding Authentication Header (AH)
Thread-Index: AczJrq1PhS5hZxfKQc2AIei//7clVQAAEZzQ
Message-ID: <7C362EEF9C7896468B36C9B79200D8350D027BB483@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <12533D04-6B3F-490F-935B-4F1FA612C938@gmail.com> <7C362EEF9C7896468B36C9B79200D8350D027BB46F@INBANSXCHMBSA1.in.alcatel-lucent.com> <F1B15794-3291-4E71-BE26-A3559F408B01@gmail.com> <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
In-Reply-To: <CAK3OfOh6uCm_Zyt0HTx3TAYPVuJeVrJmEWcGBujGRx=m90NNTQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: IPsec ME WG List <ipsec@ietf.org>
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 00:36:12 -0000

Hi Nico,

http://tools.ietf.org/html/draft-bhatia-ipsecme-avoiding-ah-00 is NOT trying to move AH to Historic.

Its merely trying to discourage newer applications and protocols from mandating AH as the same level of security can be achieved with ESP-NULL. The draft also says:

   It however, does not preclude the possibility of new
   work to IETF that will require or enhance AH.  It just means that the
   authors will have to explain why that solution is really needed and
   the reason why ESP with NULL encryption algorithm cannot be used
   instead.

I had initially published an Informational draft till a few folks pointed out that it could be a BCP.

Cheers, Manav

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Nico Williams
Sent: Tuesday, January 03, 2012 5:59 AM
To: RJ Atkinson
Cc: IPsec ME WG List
Subject: Re: [IPsec] Avoiding Authentication Header (AH)

On Mon, Jan 2, 2012 at 3:11 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
> I gave a list earlier of a number of different scenarios where and 
> reasons why AH is used.  A subset of that list:
>        - ESP null does not protect options/optional headers.

ESP in tunnel mode is supposed to be the replacement for AH, and gets you this.

>        - ESP null cannot reliably be parsed past.

WESP is supposed to provide this.

Would tunnel mode be too expensive for new protocols that need integrity protection of outer headers?

In any case, if there's no way to remove AH support from existing implementations any time soon, then there's not much benefit to moving AH to Historic either.  And it's clear that the controversy that has arisen will take a fair bit of energy to resolve.  It may be best to simply publish an Informational RFC providing advice on what new protocols that say "use IPsec" should do.

Nico
--
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email