Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Tom Herbert <tom@herbertland.com> Tue, 03 March 2020 15:25 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6533A0E1D for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 07:25:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0elk_1kovWm for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 07:25:08 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1493A0E03 for <ipv6@ietf.org>; Tue, 3 Mar 2020 07:25:08 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id p3so4841534edx.7 for <ipv6@ietf.org>; Tue, 03 Mar 2020 07:25:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8EPoocr+R4u1SogxkiRMLOA02gKM5LPtaX5rJD4Ot7k=; b=ywNsyOPsE+xbwX6ODq7deNriFobVvp9VCfHEAIcuMYRpofp7MPSd82yGJHRHCHeilR vIfqkNxC9x2asa5uolEleV9h7wJSZAtCtxK2X0rK91vMRv2Pzcbguq4iW6KQCjyH7H0u rHUt/htTNxP/6+GtQwer/Ykm903yjI25XVi7RUcGmCKFln9GpXxeyWC9M39RFtk0hgPt 7lPY6J6XDt5Y1Gcp8OnVnaiVTbTLzP6qS+O5MkVFc33oO4hUJT1FhrpjsBLGnEoUzqdL CzAWghUrENwoo6HsRallbHevEhdemQG43Y53muiAOyIBiVlkN+cd76rTGnklYd0+PMei 4DdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8EPoocr+R4u1SogxkiRMLOA02gKM5LPtaX5rJD4Ot7k=; b=cqSwLVm92E+9y8ce8Dvy3iBNdFviuor6SfHGQhMwF2eH0OG3/VvO9r03T9b8oDeOtX Th8pMpF40ZVI6VWXNtus4S+BMgY/3VWwHVFFmdF51Am/WoQupQcGVg3arhdFZgwbctqo 37QueHr1G0oPI7wjw4eLyighZYRSUUJM5TEN88hhXxh4YvHavGvX9hH2j/8Y0VXjyUDc i/w5pkXkiPFZtbdPhcmrdINwwb4CRnuyPr9CpibjyUoCXlwINFfW32bNK/77R0dLd1Bz b3zsbSoQvW0irb0HAdV+TelpZNHAwxA4NeHHKReIf9nAaYN14LEPhomYRM4DNb7GBRRG OvPQ==
X-Gm-Message-State: ANhLgQ3RzS1zf9ojORD+5hj8g8aWzzFPa+YYsmT+iKX4r5a87OKNKxv0 InOCe4opYukp0ZWFuMqri0lQrg8SgT4uhmQbvK+vwQ==
X-Google-Smtp-Source: ADFU+vt6cl8eEd8SAyre65fYknYHeg7w0c0kcl5sQg+Y4V/Xz1OGcgBjbdOnirA0pZZgE4uuDHEu6zAlAhv8gD8Hhfc=
X-Received: by 2002:a17:906:8250:: with SMTP id f16mr4455452ejx.304.1583249106829; Tue, 03 Mar 2020 07:25:06 -0800 (PST)
MIME-Version: 1.0
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
In-Reply-To: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 03 Mar 2020 07:24:53 -0800
Message-ID: <CALx6S36uEvkJdGNvJSTH4a5s1UU-eYTEDHBAL7r6T47gwt+mUA@mail.gmail.com>
Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: 6man <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009a93c4059ff4e8ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/RgZ3sfNDdFEI-9jd1IsGY4Cn7po>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 15:25:10 -0000
On Tue, Mar 3, 2020, 1:09 AM Eric Vyncke (evyncke) <evyncke= 40cisco.com@dmarc.ietf.org> wrote: > Without any hat except the hat of an individual contributor having spent > many years in IPsec and in IPv6 within the IETF and with real life > deployments. > > As there are some discussions about 'breaking AH' [1], here are some > further points: > - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 > (including MAP-* as they do NAT44) > - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section > 3.2 "IPsec implementations MUST support ESP and MAY support AH. " > - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD > in section 13.1 > > IMHO, any specification breaking AH (e.g., by modifying the NextHeader in > transport mode) should clearly note that it 'breaks AH' or constraints its > use; but, this is still acceptable for an IETF standard specification IMHO > to 'break AH'. > Eric, AH operation is not defined in SRH, and its use may be defined in future documents. There is nothing inherent in SRH that prevents defining correct operation (other types of routing header support AH). Deferring work on AH and SRH seems to have mostly been done out if expediency to move the draft forward in the WG. So SRH doesn't break AH, however SRH inserting/deletion would break it as pointed out already. > Finally, I have spent 10+ years designing and deploying IPsec VPNs and > very few of them were using AH and when using AH it was in tunnel mode > (except OSPFv3) and until ESP was extended to have authentication. > That's anecdotal. I could just as easily point out that after five years of SR there's no deployment or even a correct implementation of SRH HMAC option which is supposed to be substitute for AH. Tom > Hope this helps to clarify the discussion about any document > > -éric > > [1] please note the quotes around 'break AH' as it is rather 'prevent the > use of AH in transport mode' in most current discussions. > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- About AH (was Re: [Errata Held for Document Updat… Eric Vyncke (evyncke)
- RE: About AH (was Re: [Errata Held for Document U… Ron Bonica
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Michael Richardson
- Re: About AH (was Re: [Errata Held for Document U… Brian E Carpenter
- Re: About AH (was Re: [Errata Held for Document U… Nick Hilliard
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Mark Smith