Re: Seeking clarity on IPv6 IPsec AH requirement ... pending IPsec draft changes AH requirement to "MAY" from "MUST" ...
Jari Arkko <jari.arkko@kolumbus.fi> Fri, 01 April 2005 05:05 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA20774 for <ipv6-web-archive@ietf.org>; Fri, 1 Apr 2005 00:05:18 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DHESh-0000xY-Mo for ipv6-web-archive@ietf.org; Fri, 01 Apr 2005 00:12:51 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DHEEk-0004BM-Lp; Thu, 31 Mar 2005 23:58:26 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DHEEg-0004BF-7Y for ipv6@megatron.ietf.org; Thu, 31 Mar 2005 23:58:22 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA18311 for <ipv6@ietf.org>; Thu, 31 Mar 2005 23:58:19 -0500 (EST)
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DHELv-0000d3-QM for ipv6@ietf.org; Fri, 01 Apr 2005 00:05:52 -0500
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id 396B989862; Fri, 1 Apr 2005 07:58:10 +0300 (EEST)
Message-ID: <424CD4CE.6010104@kolumbus.fi>
Date: Fri, 01 Apr 2005 07:57:50 +0300
From: Jari Arkko <jari.arkko@kolumbus.fi>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
References: <200504010058.j310wrpm021834@hestia.native6.com>
In-Reply-To: <200504010058.j310wrpm021834@hestia.native6.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 31247fb3be228bb596db9127becad0bc
Content-Transfer-Encoding: 7bit
Cc: ipv6@ietf.org
Subject: Re: Seeking clarity on IPv6 IPsec AH requirement ... pending IPsec draft changes AH requirement to "MAY" from "MUST" ...
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10ba05e7e8a9aa6adb025f426bef3a30
Content-Transfer-Encoding: 7bit
I believe the IPsec specifications take precedence here. Note that the 2401 and AH are also referenced from draft-ietf-ipv6-node-requirements (currently in RFC Ed queue). A "bis" version of that RFC-to-be should also reference the new specs. (Its too late to change now because the IPsec specs are, I think, still in the WG process and it might take some time before they can be normatively referenced without delays.) --Jari John Spence, CCSI, CCNA, CISSP wrote: >Looking at "draft-ietf-ipsec-rfc2401bis-05.txt" (Security Architecture for >the Internet Protocol), I noticed the "pending confusion" shown below. The >IPv6 Specification suggests that both AH and ESP are requirements for full >IPsec support, and the draft slated to replace the overarching IPsec >Specification makes it clear that IPsec AH is optional. > >We'll need to clarify somewhere if IPv6 is requiring a higher standard than >the future IPsec Spec, or if the IPsec Spec takes precedence, and a full >IPv6 IPsec implementation will also consider AH "optional". > >My belief is that the IPsec Spec rules here, and IPv6 should only require >IPsec "as described in the IPsec Spec of record". Today there is no >conflict, but there will be when the IPsec draft goes RFC. > >-------------- start -------------------- > >3.2 How IPsec Works > ><snip> > > IPsec implementations MUST support ESP and MAY > support AH. (Support for AH has been downgraded to MAY because > experience has shown that there are very few contexts in which ESP > cannot provide the requisite security services. > ><snip> >---------------- end ------------------ > >Looking at RFC 2460, I see this: > >-------------- start -------------------- > >4. IPv6 Extension Headers > ><snip> > > A full implementation of IPv6 includes implementation of the > following extension headers: > > Hop-by-Hop Options > Routing (Type 0) > Fragment > Destination Options > Authentication > Encapsulating Security Payload > > The first four are specified in this document; the last two are > specified in [RFC-2402] and [RFC-2406], respectively. > ><snip> >---------------- end ------------------ > >---------------------------------------------------- >John Spence, CCSI, CCNA, CISSP >Native6, Inc. >IPv6 Training and Consulting >jspence@native6.com >www.native6.com >---------------------------------------------------- > > >-------------------------------------------------------------------- >IETF IPv6 working group mailing list >ipv6@ietf.org >Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 >-------------------------------------------------------------------- > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Seeking clarity on IPv6 IPsec AH requirement ... … John Spence, CCSI, CCNA, CISSP
- Re: Seeking clarity on IPv6 IPsec AH requirement … Jari Arkko