Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Tom Herbert <tom@herbertland.com> Tue, 03 March 2020 19:31 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7AFB3A07C8 for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 11:31:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pfw4T-YHV12t for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 11:31:50 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B1EE3A07C3 for <ipv6@ietf.org>; Tue, 3 Mar 2020 11:31:50 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id y3so5830143edj.13 for <ipv6@ietf.org>; Tue, 03 Mar 2020 11:31:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BF+QKcfDooIWJ5rCLWxzWDZej6CHqI4h1E4IV1o1qnY=; b=GHx+L14NQQQ2fGR40fhLmugyTJxkSuKBE0qYYyslBkzApiJcibjBSujkOhx7CTkLvy INKiosSBlW1CCduwu3kXGM4JXLDzkOJ0m15THWtj746BkFCVDEiNbaKexbMDR5zMcqJx eQGgjbRe9+VzVtkGTqhd2+oUckJCzyR8PzybP0CTxbcredUGoTMIzwe82RS+MnEAmQA7 jAyK3oQ44MUYC8CkN8GLFP84H23RXY/4fKF5EKxX2c5I6SDFoTJQTRmQbFmDSHw/6l07 zrSPM2p4UyJjLNw5AsTg7CN5IAFDJouLO6m9qT42SeOkWT9Bn54agDPI5gAAhcSnlJvX /jsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BF+QKcfDooIWJ5rCLWxzWDZej6CHqI4h1E4IV1o1qnY=; b=ozw7BPUY5L+CU6OjwA0vv1lT4ZEKEQUMslhd9XUs7w9vhSfr000aRpMCIbEFDossxX Qj7bBUMIPaNHCxsBpoj95Ic726JlHMF3oTP95rXwSPAq3I9Ne09g7RF9c2tPGBap/TMN XT+5f+RCBDDJTouHKG263bixF17sOVsm8U/SHH/Aq5Luq/mvh0IfXPSrvnmZ0078RFr3 hEH6Wjem1esepclrF+Kt/n0+upMpFkVnfSE9H642GQNq61NxMmK5GSFdWHHDgTgmqysh f9ls06WxdUVAltWVP1C3lHhY8SyaVKaZ1Kr0wZ9RiWAWCyOQo3fcWgRJZ/m2ELjX/2Lo qzPQ==
X-Gm-Message-State: ANhLgQ3dBMGy7cCJu0DV/NUog08y62Z6W+Aeo0Y2MYAdwCTVcJaRmlh/ 5H6y4AAr3z/dl9RhkWKUXoJWDT1wmSeqUXcAcz0ccQ0UTkBeLw==
X-Google-Smtp-Source: ADFU+vs8zWdhrLJuyO/2wVLXFyVt3MynhDm8Ka1Ir+qeo28HN/j4Y8fP1aVpb0S8LV1RyCNgxsSElWh+Dwj7m/4RLa8=
X-Received: by 2002:a17:906:c791:: with SMTP id cw17mr5138077ejb.69.1583263908371; Tue, 03 Mar 2020 11:31:48 -0800 (PST)
MIME-Version: 1.0
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com> <DM6PR05MB6348E69E036DE26F7A1C79FFAEE40@DM6PR05MB6348.namprd05.prod.outlook.com> <77503EA5-3689-4337-93BB-CB3D91B0E791@cisco.com>
In-Reply-To: <77503EA5-3689-4337-93BB-CB3D91B0E791@cisco.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 03 Mar 2020 11:31:37 -0800
Message-ID: <CALx6S37+qeZa9f8s88yE4NzW3Gj04sFG3FBEU9Jq33Rx2-bVHg@mail.gmail.com>
Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Ni4r5RNzgdDPuudck02feDXrpnk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 19:31:53 -0000
On Tue, Mar 3, 2020 at 11:07 AM Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org> wrote: > > Ron, > > As I restricted the topic of this email thread to AH support by protocols in general, so, let's stick to this topic only if you do not mind. > > And, if a document is about a protocol changing the Next Header field of an IPv6 header protected by AH in transport mode then it will not work obviously. So, yes, the PSP behavior of the current network-programming draft is incompatible with AH in transport mode. Like many other existing RFC and AH is no more a requirement for IPv6 nodes. As long as there is a mention in the document that it is not compatible with AH in transport mode, I see no problem at all. > Eric, AH is an end to end protocol that is very specific about what data in the packet is covered in the computation. If an intermediate node makes changes to the packet that are not taken into account wrt fact then that breaks the AH protocol-- this is protocol nonconformance and a root cause of protocol ossification. It's precisely why there is effort to define what fields are mutable and how those are interpreted for the purposes of AH computation in every other extension header. So instead of just saying it breaks AH and there's nothing we can do about that, why not specify a correct and conformant protocol? I don't see why that's a particularly hard problem for SRH-- just specify which fields are mutable and how to deal with them. If extension header insertion/deletion is the requirement then define a way so that the receiver can clearly identify extension headers not used in the source computation and exclude them (draft-herbert-6man-eh-attrib-00 can help with that). Tom > Hope it clarifies my previous email > > Regards > > -éric > -----Original Message----- > > From: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> > Date: Tuesday, 3 March 2020 at 14:57 > To: Eric Vyncke <evyncke@cisco.com>, "ipv6@ietf.org" <ipv6@ietf.org> > Cc: "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com> > Subject: RE: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933)) > > Eric, > > PSP breaks every IPv6 feature and every upper-layer protocol that relies on the immutability of the following fields in the IPv6 header: > > - Payload Length > - Next Header > > We know that PSP breaks the AH. Can you assure me that it doesn't break anything else? > > Ron > > > > Juniper Business Use Only > > -----Original Message----- > From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Eric Vyncke (evyncke) > Sent: Tuesday, March 3, 2020 4:09 AM > To: ipv6@ietf.org > Cc: suresh.krishnan@gmail.com > Subject: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933)) > > Without any hat except the hat of an individual contributor having spent many years in IPsec and in IPv6 within the IETF and with real life deployments. > > As there are some discussions about 'breaking AH' [1], here are some further points: > - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 (including MAP-* as they do NAT44) > - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section 3.2 "IPsec implementations MUST support ESP and MAY support AH. " > - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD in section 13.1 > > IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'. > > Finally, I have spent 10+ years designing and deploying IPsec VPNs and very few of them were using AH and when using AH it was in tunnel mode (except OSPFv3) and until ESP was extended to have authentication. > > Hope this helps to clarify the discussion about any document > > -éric > > [1] please note the quotes around 'break AH' as it is rather 'prevent the use of AH in transport mode' in most current discussions. > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!X2VjiYp3XWEkmttsP8laiCcY8IDXlZ2c_vkPL7caKbCLg5XRwm1VMWeYjSV4doxx$ > -------------------------------------------------------------------- > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- About AH (was Re: [Errata Held for Document Updat… Eric Vyncke (evyncke)
- RE: About AH (was Re: [Errata Held for Document U… Ron Bonica
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Michael Richardson
- Re: About AH (was Re: [Errata Held for Document U… Brian E Carpenter
- Re: About AH (was Re: [Errata Held for Document U… Nick Hilliard
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Mark Smith