Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Mark Smith <markzzzsmith@gmail.com> Tue, 03 March 2020 22:11 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40EF63A0B0D for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 14:11:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpeIHPI-eN0A for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 14:11:05 -0800 (PST)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F1A3A0B03 for <ipv6@ietf.org>; Tue, 3 Mar 2020 14:11:05 -0800 (PST)
Received: by mail-oi1-x229.google.com with SMTP id a22so4679551oid.13 for <ipv6@ietf.org>; Tue, 03 Mar 2020 14:11:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tJbuP3xAnUY6PEmgK8Q+FPw2K4X68t0H2Q1BWzxCNwQ=; b=phKn6ttWjJqjHvWHCOnoh0LuKnGFtj758JN+VKL4Wu6bbwhETlG5S33Tzw4YOG7wgV 5rjcIHfiXh0hyxCQhoOd5I7X49vLDhkUhACy65jy15+I6WoY0ubBb0O8rgiJXoozQsvw KYjk8bkmwSz2WUJuebQLY6XtWW3Fn3kYDUCIapgjL9G8zSFE4H+/3IokmfynEtRofGvA pdwNczUuEvrUxDEWl2i5SYC5QRey8DgvyYoCwYa+nQwOqH2AYyKyQDLS+TfivQPc4BbB gLk73UopEZd2fRaNUdFEKFyME/yXV1VGSYdmMgmvf7U+TP50gdjgdyZmAoOoN+xrmDxg 5rCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tJbuP3xAnUY6PEmgK8Q+FPw2K4X68t0H2Q1BWzxCNwQ=; b=O+NdfZrQ/GQP/Y96bzN0wqQlrogKhSjDFzhaM+5TrlfhpXSDwfHg2pk7U5rIyOiiV6 Ud92zf49Zq7b6b4fJZp+6J4L5hn34iE9JGaH0Dwbdm8tAPZzRt9PirdxMRmN+6ya0iMB ARhjrBByhOPk3wiAYnuQuxL5olz2lY/V7rpaevY74cfEI1kkmEY8zURz3zv8Ro5W4Ik1 rt0Y2lS9qTlr0WRgcfezZ+WVJbLKcjEWpYRRq7eXnjyGAJGAA1a1JDyGjxw5TBq9+7Br C30jt+LJ1wlXYTw8XaEZF5bVsW94vrAnOh4AVAXr/WHL48/3wP79EsnZhmaw18cK+DqS RyGg==
X-Gm-Message-State: ANhLgQ1B5lLgIehOEnOlNLkLb0BnplLS/dt1ZAq6NN/bYSs+mMUZkIyp hvfzJYqrTQgOwM29ZAE/tVTTZXDXakc+QUyH3Dg=
X-Google-Smtp-Source: ADFU+vvOnPk4Xi57VU4rB972wsjxWZufwEX9wx7FMX06Ho8eARSW6nv2y5QP8bMsthoEwYICy4MqBthrJ/0oM/IU2QY=
X-Received: by 2002:aca:4306:: with SMTP id q6mr513116oia.54.1583273464680; Tue, 03 Mar 2020 14:11:04 -0800 (PST)
MIME-Version: 1.0
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
In-Reply-To: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 04 Mar 2020 09:10:53 +1100
Message-ID: <CAO42Z2xUWtUyO6xxyWrGB1coVB++CnOrVPh7ZpySF7YMotnyTw@mail.gmail.com>
Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: 6man WG <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000071d689059ffa9479"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/uM6aeU5C7Px1cEyTe3yOsbD4RSo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 22:11:08 -0000
On Tue, 3 Mar 2020, 20:09 Eric Vyncke (evyncke), <evyncke= 40cisco.com@dmarc.ietf.org> wrote: > Without any hat except the hat of an individual contributor having spent > many years in IPsec and in IPv6 within the IETF and with real life > deployments. > > As there are some discussions about 'breaking AH' [1], here are some > further points: > - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 > (including MAP-* as they do NAT44) > - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section > 3.2 "IPsec implementations MUST support ESP and MAY support AH. " > - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD > in section 13.1 > > IMHO, any specification breaking AH (e.g., by modifying the NextHeader in > transport mode) should clearly note that it 'breaks AH' or constraints its > use; but, this is still acceptable for an IETF standard specification IMHO > to 'break AH'. > So if a spec says AH doesn't apply, then all IPv6 fields are mutable within that spec? Could that spec be on the IETF standard track? It seems so, since SRNP with PSP is. It seems that Network Prefix Translation could be changed from Experimental to Standards Track just by adding an "AH doesn't apply" statement. Errata updates to RFC 8200 may as well remove any and all processing prohibitions rather than further clarify them, because it sounds like "AH doesn't apply" is the loophole to avoid all of them while still claiming to be "using" RFC 8200 IPv6. > Finally, I have spent 10+ years designing and deploying IPsec VPNs and > very few of them were using AH and when using AH it was in tunnel mode > (except OSPFv3) and until ESP was extended to have authentication. > I seem to remember that 20 years ago when I did quite a bit of IPsec work, Cisco worked around not having true IPsec virtual tunnel interfaces by using GRE tunnels and then protecting them using IPSec in transport mode with both AH and ESP; AH being necessary to protect the outer tunnel IP header, and ESP protecting the GRE header and the GRE payload. Deprecating AH is probably the equivalent of deprecating IPsec transport mode. Regards, Mark. > Hope this helps to clarify the discussion about any document > > -éric > > [1] please note the quotes around 'break AH' as it is rather 'prevent the > use of AH in transport mode' in most current discussions. > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- About AH (was Re: [Errata Held for Document Updat… Eric Vyncke (evyncke)
- RE: About AH (was Re: [Errata Held for Document U… Ron Bonica
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Michael Richardson
- Re: About AH (was Re: [Errata Held for Document U… Brian E Carpenter
- Re: About AH (was Re: [Errata Held for Document U… Nick Hilliard
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Mark Smith