About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 03 March 2020 09:08 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F6E3A1BA2 for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 01:08:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=mCU8zQSE; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Q/iEoaiR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v3IK7wape-YA for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 01:08:55 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 746113A1BA1 for <ipv6@ietf.org>; Tue, 3 Mar 2020 01:08:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1704; q=dns/txt; s=iport; t=1583226535; x=1584436135; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=6tpQTwG1yasntSFWdP5ggllltmgG6h1YnMiAVtXu8Bs=; b=mCU8zQSE9rpOHBI+FGl83cjulPJjpTvYziPrfdd84/MppDbJW/fNmObx fGJCjzJXszLqUSPpMaLhuZoq2umebBhkXpNsO210m/W1Azagx+EodWAKD yCPk8ebExsd3VK61dKqZ7u1mZmmcf2De/F/vuK1BonuR95QbjxfHs+dzl I=;
IronPort-PHdr: 9a23:lQx/EhHOMafGmHr31mvWPp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1A3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+efP0fioxH8lqX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BRCACuHV5e/4YNJK1lHgELHIFwC4FUUAWBRCAECyoKhAqDRgOKZ5p0gS6BJANUCQEBAQwBAS0CBAEBhEAZgXokNgcOAgMBAQsBAQUBAQECAQUEbYVWAQuFZhYREQwBATcBEQEiAiYCBDAVEgQOHgmDBIJLAy4BA6B3AoE5iGJ1gTKCfwEBBYJEgk0YggwJgQ4qjCUagUE/gREnIIIfbIEEhlgyggoikGWfOgqCPJZmHIJJiB+QSTqOOIFNmX0CBAIEBQIOAQEFgVkGLIFYcBVlAYJBUBgNjh0Yg1uKVXSBKY46AYEPAQE
X-IronPort-AV: E=Sophos;i="5.70,510,1574121600"; d="scan'208";a="735894681"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Mar 2020 09:08:54 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 02398rfx021348 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Mar 2020 09:08:54 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 03:08:53 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 03:08:52 -0600
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 04:08:52 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DUtJu+m3NEw9XvkDK6Xnv96wDHCVke302VoCZKC8eMXS5C6YtVM0MSI0ZXOsYlkXdR0aiD8KpdEeDns7lzu3t6eZFdS3oL1fKHZwAwZk/SNHqhS6ECDQLBW+rI55v6+fvf72PrPuxpJtfFWYhAJoh0KmcOKVvMbTnoXsLu5wPQBYDZ2VicEe+MaMvHOhgOkpsDFiXI9OLSEfdsXqwL33FgHIJjvs3cRw1EdDHNK5wcYHTh2OGWmifUufaRRfqa2NMbqbBFpy+JWljc3X88q5v62CjVoICA5gUzxKYpYqSBYV2INF5JX2+f33bg7x4ocCbirVEqGO5XmD3DG7NoG7Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=6tpQTwG1yasntSFWdP5ggllltmgG6h1YnMiAVtXu8Bs=; b=b0bTGSVuq1+L8m20OaQgEBd6Fr7z74en3r1An9mgmvoWw4pvq9Qjit7vEfnWmh7dFnUtjnSzjHnAtnMSrYKnJezkUQhbo8uXUSVDivhnlwKxEJuIpr9yigAu4C6qZTkLvGCu+IatWDEC/IniYPyEBcn2zYNPv4CZf+M4c7xYP86XFiVRUBWm36HmftwQ0ryvumj2I6J8pqU9llVsIk7Swood2Xjkj8luMABkM2+BbR5MhYLZ7gYhHH5pjF8U0OO+4VFunZtNl3asigfZhqkgkPT9aI5ISbycd23kFY48hFM/ExdUJd5d4ivr/1K/rV3rEHOU7agrxuWHXvljocr4ZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6tpQTwG1yasntSFWdP5ggllltmgG6h1YnMiAVtXu8Bs=; b=Q/iEoaiR6+pJSungQsB3qRui30XZJadxpz81d4XP0OdgMSpFmPL6NHdUP2c4nm0b9MH2yWUNVAyHTSGFkFWDlvnXcCgetrzYELyuV+Yh/Jjcmc6MTVvo1pNVFIEXn0AVAsW5/ObHhzCOLJc62waqj5UuaR7P43NvgAxURqDl0+Y=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1467.namprd11.prod.outlook.com (2603:10b6:4:a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Tue, 3 Mar 2020 09:08:51 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2772.019; Tue, 3 Mar 2020 09:08:51 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "ipv6@ietf.org" <ipv6@ietf.org>
CC: "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com>, Erik Kline <ek.ietf@gmail.com>
Subject: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Topic: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Index: AQHV8Ttb6lqk8pZ6uEe3vsAxG6KR0w==
Date: Tue, 03 Mar 2020 09:08:51 +0000
Message-ID: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [93.22.148.220]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f7fd5556-c98c-490c-cb69-08d7bf527dc6
x-ms-traffictypediagnostic: DM5PR11MB1467:
x-microsoft-antispam-prvs: <DM5PR11MB14672E32903927383C89B60CA9E40@DM5PR11MB1467.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(346002)(396003)(136003)(366004)(199004)(189003)(71200400001)(86362001)(316002)(6916009)(6512007)(2616005)(478600001)(54906003)(33656002)(4326008)(66946007)(66476007)(91956017)(8676002)(5660300002)(186003)(81166006)(76116006)(66556008)(8936002)(6486002)(81156014)(66446008)(26005)(2906002)(36756003)(6506007)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1467; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w95pHqeDLwPFB/ATRK/wzP4Xf7fBYmdIOI2hXhV3eDqmr8pAcIjBrs7Jkz3H5dqnCLnwJ8uUL5FYYhbq+jFyW/JMWb8WleDfq13eecO02ffjoVq2GAjGpgswqHFF21eEfyu+krd+Elrc7MCHr8t2e6X0M0oHJI1VVZYKeIk45Oa2jfnLjmF6hiLcYIAJ/Cyw53dQW8XqIcAbvyJ9KB9S8nz1am10mo3P5/kr1gJIDZg2FrbFlLO5dqpGDKwwMUvCRqb+8ifqJbS9amXasZCP8QV/g7WeRwONdIFI2GYKipUmHJcdUhJhNJOLjHM3XnAdyzuB6ANPH+bwMQsK8Lyl+LlJ8/9fbw1Sto9/VvltxtDEBMPQG9AAfL2tcxHhHPEo7d+qKddsd4AL1wC/u6Tb2+/Ok9lLBUwmX7tJPuKtxEitIlPcGKWa3uCqbpgUGkIu
x-ms-exchange-antispam-messagedata: ObskLqJQQSyyO8I1YPzRiuZ1AcBsrSxPMwjIVr2kaQcrUIg18/LDobuGvnI72twqKVZoERTrb2kdJ02doBfu5tel5FqZvYDbAgw+tz3ndAX7pKmakTo1s6srkyow4Ppx6AL1FObjwDW1LTrV+cKG6Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <0B39B60A2F1D75418471C6327CBE54C3@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f7fd5556-c98c-490c-cb69-08d7bf527dc6
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 09:08:51.3718 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6WkBJMw+a/7Sg3HpPxRcal7yRrZLa+CalqJE8g/MGOl/+lDLptO0lDVTsDzkUDiPY5HDX6UL3nmb3Nxq9NEivg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1467
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/AJzOX97mUeHjEcDSIgpqUw8gNk0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 09:08:57 -0000
Without any hat except the hat of an individual contributor having spent many years in IPsec and in IPv6 within the IETF and with real life deployments. As there are some discussions about 'breaking AH' [1], here are some further points: - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 (including MAP-* as they do NAT44) - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section 3.2 "IPsec implementations MUST support ESP and MAY support AH. " - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD in section 13.1 IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'. Finally, I have spent 10+ years designing and deploying IPsec VPNs and very few of them were using AH and when using AH it was in tunnel mode (except OSPFv3) and until ESP was extended to have authentication. Hope this helps to clarify the discussion about any document -éric [1] please note the quotes around 'break AH' as it is rather 'prevent the use of AH in transport mode' in most current discussions.
- About AH (was Re: [Errata Held for Document Updat… Eric Vyncke (evyncke)
- RE: About AH (was Re: [Errata Held for Document U… Ron Bonica
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Michael Richardson
- Re: About AH (was Re: [Errata Held for Document U… Brian E Carpenter
- Re: About AH (was Re: [Errata Held for Document U… Nick Hilliard
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Mark Smith