Re: Failure of AH
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 21 March 2017 14:57 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 584241299D3 for <ipv6@ietfa.amsl.com>; Tue, 21 Mar 2017 07:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HJXH7o8effK for <ipv6@ietfa.amsl.com>; Tue, 21 Mar 2017 07:57:16 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02D961299BB for <ipv6@ietf.org>; Tue, 21 Mar 2017 07:57:14 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6D70220183 for <ipv6@ietf.org>; Tue, 21 Mar 2017 11:20:40 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 44AFE636BB for <ipv6@ietf.org>; Tue, 21 Mar 2017 10:57:13 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: 6man WG <ipv6@ietf.org>
Subject: Re: Failure of AH
In-Reply-To: <a9e919b4-df76-f8d1-a7a9-3a632fc03b23@gmail.com>
References: <599257D7-532D-4512-929B-D124623EAF35@ericsson.com> <37ED3E78-B23A-4D29-8597-5A63236129B1@cisco.com> <887bd0f0-32a5-56f1-9ac9-703ecb97a760@gmail.com> <80D8FFF0-2674-48A7-A935-11681F5C5A4D@jisc.ac.uk> <A67E1C07-282B-4422-A2FF-86F6CACBD775@cable.comcast.com> <ab7c95a5-9776-24b5-7c26-4c5987d4c948@isi.edu> <ed2f5144-52fb-dda5-1fb4-62be1625b341@gmail.com> <401F52B1-3D41-4174-9425-50571B2D0B9E@jisc.ac.uk> <6d51de4b-3a9d-0f34-1cd2-5bb30caed75e@gmail.com> <DE16D91D-AE7B-4D3C-B8EA-0CB644FB96BD@cable.comcast.com> <CA+b+ER=6dXLiwvLJa84uvpVeH0daGnZ-06P16JD0UutTrbUYyA@mail.gmail.com> <2a808465-58c9-1d5e-700b-f04043b33c1c@gmail.com> <32305.1489937663@obiwan.sandelman.ca> <0e628656-f8b2-effb-9f93-2efe6b0ee4c5@gmail.com> <11502.1489948766@obiwan.sandelman.ca> <735862da-0e36-b36d-5f0f-0c25245c0f2a@huitema.net> <18061.1490019476@obiwan.sandelman.ca> <a9e919b4-df76-f8d1-a7a9-3a632fc03b23@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 21 Mar 2017 10:57:13 -0400
Message-ID: <28840.1490108233@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/69GfuZoiXFosfvr3o4HiONTC77M>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 14:57:17 -0000
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > On 21/03/2017 03:17, Michael Richardson wrote: ... >> So I'm just not worried about breaking AH. > That's well understood for today's AH. What bothers me is that if we > allowed en-route changes to headers now, without thinking this aspect > through, we might make any future AH-like authentication mechanism > impossible too. So at a minimum, we'd have to be sure that inserted, > modifiable and deletable headers are marked in some way that will allow > them to be excluded from authentication. That was thought about years > ago for IPv6 options, but not for extension headers. a) AH was invented in the early 1990s, and was a response to the realization that we might not get a cryptographic system out of the US that included encryption. b) it has never been useful for authenticating IPv6 headers. The one time that we got close was SEND, and we specified the "unknown SPI" behaviour wrong so we couldn't do SEND as AH+ICMP unless we had a flag day. c) I would claim that the headers that would most benefit from being authenticated would ones inserted mid-path :-) That argues actually for IPIP encapsulation of those headers so that the trust anchor is the IPv6 src address. (but, AH SPI# are allocated by destinations, not senders, so AH is also wrong for that) But, we have inadequately documented IPIP header decapsulation by end hosts, explaining that they should ignore AH (or AHng) headers that they do not understand. d) does 7045 even give us enough power to create AHng? I didn't read it that way. I'm just not convinced that "breaks IPsec" is a valid concern. (And I weep saying this) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- IETF Last Call conclusion for draft-ietf-6man-rfc… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Stefano Previdi (sprevidi)
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… 神明達哉
- Re: IETF Last Call conclusion for draft-ietf-6man… Voyer, Daniel
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Fernando Gont
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Smith
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Xing Li
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Stewart Bryant
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Robert Raszuk
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Mark Smith
- Re: Manual PMTUD [was ...rfc2460bis-08] Robert Raszuk
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Timothy Winters
- Re: Manual PMTUD [was ...rfc2460bis-08] Michael Richardson
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Joel M. Halpern
- Re: Manual PMTUD [was ...rfc2460bis-08] Michael Richardson
- Re: Failure of AH (was: Manual PMTUD [was ...rfc2… Christian Huitema
- Re: Failure of AH (was: Manual PMTUD [was ...rfc2… Michael Richardson
- Re: Failure of AH Brian E Carpenter
- Re: Failure of AH Michael Richardson
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Townsley
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Townsley
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Jeff Tantsura
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- RE: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… 神明達哉
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Smith
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Jen Linkova
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Jen Linkova
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Martin Rex
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Fernando Gont
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Bob Hinden