IETF Logo Mail Archive

RE: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))

Ron Bonica <rbonica@juniper.net> Tue, 03 March 2020 13:56 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ACE33A21EF for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 05:56:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=jKTCDhdu; dkim=pass (1024-bit key) header.d=juniper.net header.b=Fqye849I
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwSEBTJaMYTe for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 05:56:26 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9A73A21F6 for <ipv6@ietf.org>; Tue, 3 Mar 2020 05:56:26 -0800 (PST)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 023Dr6gS016952; Tue, 3 Mar 2020 05:56:24 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=576LTI9cbjNvS0fc10InY0AbN7wMfGNwirtztEXAZE8=; b=jKTCDhdusK2TywJQ4qvAg2/UVKsh6/Yentxs3vEPlhx5RInQoX2NPfwkUOLw9DuTyuT5 sVgq0C7U/P6e0FDHvzSpYkzRaOjHzB/XKbSxZVmJDjMeljZkMpQhtMFsrtWVGMy9N6Fv nF8WpuOU69Fd45iKJM5eucM+4gLl7/yCPhRSczInwgLVaNLKvRwMB/q+CXTeOhArEwAw oXDUwXLJDMFAnxROLmj0+4nk91sy1d247HLmPxnvGSZUroYQVs/hGmjpVv88IEllBwyS Bu5CDTYaTgsf+w/JpsUXi0UHWOvsuw6XkKVEss/4Mfqg/zxAhk38maO5C+oPCciGsaiI 0Q==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by mx0b-00273201.pphosted.com with ESMTP id 2yh62aa0hm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Mar 2020 05:56:24 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hWo6Y3wbtdoW1IHK9OWrmuBJld5xI2VClv60LyTzjjRteeSGyNdlWBG2n6+ayPMo1eJ70Vb9YEizoBdLL2PY/P4sLqzrZH1JdL1TFukLy8iyfkPbmxm2Nx9nw8smHJDlDZPt+Wb73iBbJCPHF0FBTqFiKa0C1f5EiMYWurTGIFgeOB+aZeMGwVgJKoUsm3XzSu7ES5klrIdhEGMg667LdbTwWDDxKxB5+QoP7+1SkoQsQM/gNayWsOyr//KekhwRcWanf9YErj2ikb3t1ydrnzQTUDX6EahxUg46/k5TbRdH7SBAtm3J8z16O5h8SvHn1bp3fReMv7k6aq9pbsjIWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=576LTI9cbjNvS0fc10InY0AbN7wMfGNwirtztEXAZE8=; b=jVNyf0stKo6a4JltAILQDheA9oAoIQPNoJThPThjK1Ayzjf9shrT3bEJoK3m/qcy0+TeZ+kQ4WK7PtohVrpXiI8E9q76jTapNGJ/Gyt6OugFU+lICW0fuib4lbXSXNQxzgYrq7S7Ogo15VF9DVVV8cukikXu7tYJy+rXyB9uXkifm16RTirGDT6z5ug1uMN24a+RustBjgVeKQ1cYJXBzH27ORE8b5Xx1nir//4nrgRoqloeFY8o2J9iG3TDi9sxAn/01gwHDEZwHMBPOFFzVMqvovU0InNlFxjSjwKwXfS/huwEXBdI7Gpm4i5MHjPRM0Ct9+9q3o2FieSo9z914w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=576LTI9cbjNvS0fc10InY0AbN7wMfGNwirtztEXAZE8=; b=Fqye849IDcpi5EmYCWMQOcOiNwPT6NuEOMhU11gHqm7NYEAxYQnFp6w6aqB0zr8PuUTeKQkzW+1ovh8h34RG9Uar+sM/Qc/qfigW9s/sOD3GsX7M/0sKazbUsese4I1JOxMU3/FFL7RRFl0eb/E7hmPF9OGNn9OzJKVQwfTE72o=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB6073.namprd05.prod.outlook.com (2603:10b6:5:39::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.5; Tue, 3 Mar 2020 13:56:21 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::cdd:ea54:f213:7e02]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::cdd:ea54:f213:7e02%5]) with mapi id 15.20.2793.011; Tue, 3 Mar 2020 13:56:21 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
CC: "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com>
Subject: RE: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Topic: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Index: AQHV8Ttb6lqk8pZ6uEe3vsAxG6KR06g24vyA
Date: Tue, 03 Mar 2020 13:56:21 +0000
Message-ID: <DM6PR05MB6348E69E036DE26F7A1C79FFAEE40@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
In-Reply-To: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=rbonica@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-03-03T13:56:19.7581555Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=6f76a271-83ee-425c-8b05-68f42400d881; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4dc56cb4-5466-4ef4-67a6-08d7bf7aa7b5
x-ms-traffictypediagnostic: DM6PR05MB6073:
x-microsoft-antispam-prvs: <DM6PR05MB60732345F0E355733A2352F5AEE40@DM6PR05MB6073.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(366004)(376002)(136003)(396003)(346002)(189003)(199004)(66556008)(7696005)(64756008)(66946007)(478600001)(316002)(2906002)(66476007)(8676002)(81166006)(966005)(81156014)(55016002)(53546011)(110136005)(66446008)(6506007)(4326008)(9686003)(76116006)(52536014)(26005)(33656002)(5660300002)(71200400001)(15650500001)(8936002)(186003)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB6073; H:DM6PR05MB6348.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PDGa/De+qWsmivQLb1RKUIRuQMFERraI5uMD54BPAyfTLqvRq+GmfGJbsM2QfJBHL/q0djCAZyHJD0i6fkhe/RdcH2NpwmwdB8HiFyxPG9XzKHuiByX/F5Aheq8kFXYrobrFxfHGJYNub6IOGfd9qnuxX3PHYlIGudV7hJOD+UL+wPfZhPqwVR1L8f7ELm70WuZOhkwMkaX235cj46NqxuMtojR0/4g1WqCsEJz2i7rxy1Wv8rq8OsZzI1mUlgdVxih+g2qF4gWmWN3pgZY0MlicGAS50FwzFd6EjumyT6fws9HKjtYgpBS9005gvJSdYz9R9HnFDKhIE0TM284tAZV317z2OiquGdavzrhCM+u+RQniRgf9NJq0ZB6IicXNw+iE0vp589jSrrhgqlgZ01/ZLIc9T/C+FxihWjhjhCbuPJ/G8un9JxByiApzv5JDzWjJC9dGyrvIdDS1jQVzMpWuvc0wR/W1+s6Tk3jzUfI+WYgc4Ww9QZ9+61OqFdcGgxSjk8AXzVOIbGjpqt+U4Q==
x-ms-exchange-antispam-messagedata: e7WxDGHV9aRj2oNEC2iAidun57qPnF2Ou5N1d1LQfFjbRpnmN4tX9r9OiZeVaOtT4DwXjtysQLyFH4lVsKUGL9qHK5Mm/TeWDuFzudFDlkic4Cro7+Rfl3bGfRyu8R7JW8feVi/uHgMMZChcmjVxAg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 4dc56cb4-5466-4ef4-67a6-08d7bf7aa7b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 13:56:21.5214 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZnThthlLsk1iCH+roGQOlRng7e/aWLYw+TVXrqsg29h4cDLqQuhb+Fvdnvoujg0AwG/XgO9Acfzj/eSswvEGgA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB6073
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-03-03_04:2020-03-03, 2020-03-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 mlxlogscore=837 priorityscore=1501 clxscore=1031 bulkscore=0 suspectscore=0 mlxscore=0 spamscore=0 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2003030106
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/gNH34Pz3BUpRGJdQo_RkLpF7ywM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 13:56:34 -0000

Eric,

PSP breaks every IPv6 feature and every upper-layer protocol that relies on the immutability of the following  fields in the IPv6 header:

	- Payload Length
	- Next Header

We know that PSP breaks the AH. Can you assure me that it doesn't break anything else? 

                                                                                                             Ron



Juniper Business Use Only

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Eric Vyncke (evyncke)
Sent: Tuesday, March 3, 2020 4:09 AM
To: ipv6@ietf.org
Cc: suresh.krishnan@gmail.com
Subject: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))

Without any hat except the hat of an individual contributor having spent many years in IPsec and in IPv6 within the IETF and with real life deployments.

As there are some discussions  about 'breaking AH' [1], here are some further points:
- some IETF RFC also exclude AH in transport mode: e.g., all NAT64 (including MAP-* as they do NAT44)
- IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section 3.2 "IPsec implementations MUST support ESP and MAY support AH. "
- RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD in section 13.1

IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'.

Finally, I have spent 10+ years designing and deploying IPsec VPNs and very few of them were using AH and when using AH it was in tunnel mode (except OSPFv3) and until ESP was extended to have authentication.

Hope this helps to clarify the discussion about any document 

-éric

[1] please note the quotes around 'break AH' as it is rather 'prevent the use of AH in transport mode' in most current discussions.

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!X2VjiYp3XWEkmttsP8laiCcY8IDXlZ2c_vkPL7caKbCLg5XRwm1VMWeYjSV4doxx$ 
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email