IETF Logo Mail Archive

Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 03 March 2020 19:07 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 001B03A03F1 for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 11:07:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=bju5fhGP; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=MaE7o84K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28N9ZLB6Hg_2 for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 11:07:28 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B5863A03EC for <ipv6@ietf.org>; Tue, 3 Mar 2020 11:07:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4812; q=dns/txt; s=iport; t=1583262447; x=1584472047; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=sB9nF2vAGCYQc//6I++VXk6E3lY9cZqcaOck40FaxoY=; b=bju5fhGPUXHgONuxJRnrrKRDUDro01aClguKmCfsRCifmjrQYibuM4qJ mWRxVO4W1c1lcmFy3CcheR7Ev084L+9SlCj+7pwowcWKjcfkRXopepVZl QFmRSy6o4hnyATveKFI1mAYnhLSzbMh84OnmKYlT3Fxey+jZWBcxWoYP7 M=;
IronPort-PHdr: 9a23:rOyEihJ+YhktJCAyMdmcpTVXNCE6p7X5OBIU4ZM7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUgMdz8AfngguGsmAXEDlPfjhbCESF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AABgD8qV5e/4QNJK1lHAEBAQEBBwEBEQEEBAEBgXuBVFAFbFggBAsqCoQKg0YDimeCOiWJY44ygUKBEANUCQEBAQwBARgGDwIEAQGEQAIXgWUkOBMCAwEBCwEBBQEBAQIBBQRthVYMhWMBAQEBAwEBEBERDAEBLAsBCwQCAQgRAwEBAQMCJgICAh8GCxUICAIEAQ0FGQmDBAGCSgMuAQMLojQCgTmIYnWBMoJ/AQEFgkSCQg0LggwDBoEOKowlGoFBP4ERJwwUgh8uPoEEgRdJAQECgS4BEgGDMjKCCiKNcYJ1nnZECoI8h1KKXoQ2HIJJiB+BB49CjnKBTYcvgi+QIAIEAgQFAg4BAQWBaSJncXAVOyoBgkFQGA2OHRiDW4UUhUF0AoEnji8BgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.70,511,1574121600"; d="scan'208";a="734757506"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Mar 2020 19:07:26 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 023J7Qo1011624 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Mar 2020 19:07:26 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 13:07:26 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 13:07:25 -0600
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 14:07:25 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l80Ki0UOH1GkT/8EoXTPhQQxzGMkZ7hZQtb+xzcx+RWHTa/7elg9JMDpBGe5KhEL7liMjppwayE9jPiptxBeIapd237q3UY5tASaq5D9UgFO1oxDxnRB7UONbYmL3/xot3bi/t1speIvkltPR6A7Rld2S2buhlFGKqhHT++l97jE115iRE/RoHj6sp6+gQoWg8RGgKkk2qpJ7bwfNPfBPlElN5PQnP60PQNQHESqkdV/CwRsgD6y6XWYSx0ythRZdISFxR3eRdV0GjyznxDvOJnvMX+U6case6HCxbWgTv6Ma+D6HaBvpYIaUnSxfaFrDgkgBucpNK/Iqnr9rv1zWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=sB9nF2vAGCYQc//6I++VXk6E3lY9cZqcaOck40FaxoY=; b=ZJbLHZV7YfBcAI45XFNYZ4D6wKJMP1htEk26+IuCcCDQKy/Lca6sOXw8ATYPr/jVX91iLwq1jV5wrJILYYXxvAZZVBCMEyyzpt3XLovCwr+wVwtigsQxeGv4ckf9kFtoJdRYgqKvJvbgCQ3A6vzWNhtAciyYZppsiesoUpR80JZIa6H+5js2ggAgmHZGfi5i2p1WKgQ1YdPJm1j1Wb4PQVpkBzwrOBGxTxOxCyi19yT4Dw+BymtXuZoaM2KRdtxrqsmsoB6xb+Hq/57ygCxKcchUd8is26nwYFeEK9XgF4vTHn/bYk5G/waaygW9PPG9+R2rZYIsLLEirXx+OWh2Ug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sB9nF2vAGCYQc//6I++VXk6E3lY9cZqcaOck40FaxoY=; b=MaE7o84KbdA2uGqhu5xIqoULzeY0UvDP26vLi6mDXJ6hMAACVpGvPpUDeCmXq9dACPXvm60EplWYoiUy0mdIO8CTugyNNN0urqND6pszhIvCYdQ8/tadPic4rCn4jXzwzQUz+g655m4OCxWo0oL7SjElAt6Aj4PS3/bYJnn+Mnw=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1563.namprd11.prod.outlook.com (2603:10b6:4:5::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14; Tue, 3 Mar 2020 19:07:23 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2772.019; Tue, 3 Mar 2020 19:07:23 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
CC: "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com>
Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Topic: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Index: AQHV8Ttb6lqk8pZ6uEe3vsAxG6KR06g24vyAgABpQAA=
Date: Tue, 03 Mar 2020 19:07:23 +0000
Message-ID: <77503EA5-3689-4337-93BB-CB3D91B0E791@cisco.com>
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com> <DM6PR05MB6348E69E036DE26F7A1C79FFAEE40@DM6PR05MB6348.namprd05.prod.outlook.com>
In-Reply-To: <DM6PR05MB6348E69E036DE26F7A1C79FFAEE40@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [92.184.100.59]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4fffa4ac-814d-4c44-2566-08d7bfa61b43
x-ms-traffictypediagnostic: DM5PR11MB1563:
x-microsoft-antispam-prvs: <DM5PR11MB15636FC452CB7373BC4D60DCA9E40@DM5PR11MB1563.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(366004)(396003)(346002)(39860400002)(199004)(189003)(8676002)(86362001)(81156014)(966005)(2906002)(81166006)(110136005)(26005)(53546011)(33656002)(15650500001)(186003)(71200400001)(2616005)(8936002)(4326008)(66946007)(76116006)(91956017)(6512007)(6506007)(66476007)(66446008)(6486002)(64756008)(66556008)(36756003)(5660300002)(478600001)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1563; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y+cg/Pdqc2JonQ28jWpmxsZYQdRbUX3NLtUqQrtZNm1Oke0sBgUtn4EmL/7ULYHVNlHCxBpfOPxuSVX85mEuI+nbFlXWZKWCDlkrAkHh7T0a7ZQ5CadEqVtUVMXIQNk3Bpvqmr+VIIps1lziMBBg6CDv4uiVfHt4aaekRhyAe7+uwkGn2XxGr+fNLVylah3u5hEYgN13sGt8dfHXBfU3gBqcsbLXnFLgets1/14xalhV+uBDi930/Z2MsMpfOMWMvizTo3lmLvHUgM0L97Ww1zsP2VftHTXN1NR0fyU7oYg2TSxvAA7ZanL3UbU4R8IxfYE4nsjWpSV9CbObXZBf0XhTE1EhA/Lfjm1a8UKNvuieNXITnQmY2gCmqGyTNB51Ttm+YaY6mmEKz2MzcFbm7ceOfZbgfJ2pLVFlcpgVcbCxuiEU3Tq0kqSIwzg/fPKIu6M3r5cYEMMtWCjwDOcdtfjU29OM6eHnrj3lmKmIKxZL2jZHcsVVWu9tPm+nbp05ai6Fey3mtaV7pJdiZxWqwQ==
x-ms-exchange-antispam-messagedata: wb6bPXezo///sGIY6wKqMuVeuL6IIyPya08L/tf/K06h4Zdn0eZYJwwQK6sjjQ/senFrdMZGAHc/d5oUS/EBgoeLizk+FV+s6DlpvkuOfzOySMZRArCJnAbUlvi4vN4VNap8g+XjXyNzM8ZdQnLuTg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <02BFCAE3F03DFB43B64CADAF5642DF6D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4fffa4ac-814d-4c44-2566-08d7bfa61b43
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 19:07:23.7097 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pbSOUwBorz/kKhhKr2oXYwZfNieoqivVGcMWEUYJMYneQmMH7BMizRKKN8t4KhDxNcUTNKh6+YPFeQUyt1oEeA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1563
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/vI16NHMEGVyPvgAya3A6Qot734s>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 19:07:30 -0000

Ron,

As I restricted the topic of this email thread to AH support by protocols in general, so, let's stick to this topic only if you do not mind.

And, if a document is about a protocol changing the Next Header field of an IPv6 header protected by AH in transport mode then it will not work obviously. So, yes, the PSP behavior of the current network-programming draft is incompatible with AH in transport mode. Like many other existing RFC and AH is no more a requirement for IPv6 nodes. As long as there is a mention in the document that it is not compatible with AH in transport mode, I see no problem at all.

Hope it clarifies my previous email

Regards

-éric
-----Original Message-----

From: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Date: Tuesday, 3 March 2020 at 14:57
To: Eric Vyncke <evyncke@cisco.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Cc: "suresh.krishnan@gmail.com" <suresh.krishnan@gmail.com>
Subject: RE: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))

    Eric,
    
    PSP breaks every IPv6 feature and every upper-layer protocol that relies on the immutability of the following  fields in the IPv6 header:
    
    	- Payload Length
    	- Next Header
    
    We know that PSP breaks the AH. Can you assure me that it doesn't break anything else? 
    
                                                                                                                 Ron
    
    
    
    Juniper Business Use Only
    
    -----Original Message-----
    From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Eric Vyncke (evyncke)
    Sent: Tuesday, March 3, 2020 4:09 AM
    To: ipv6@ietf.org
    Cc: suresh.krishnan@gmail.com
    Subject: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
    
    Without any hat except the hat of an individual contributor having spent many years in IPsec and in IPv6 within the IETF and with real life deployments.
    
    As there are some discussions  about 'breaking AH' [1], here are some further points:
    - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 (including MAP-* as they do NAT44)
    - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section 3.2 "IPsec implementations MUST support ESP and MAY support AH. "
    - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD in section 13.1
    
    IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'.
    
    Finally, I have spent 10+ years designing and deploying IPsec VPNs and very few of them were using AH and when using AH it was in tunnel mode (except OSPFv3) and until ESP was extended to have authentication.
    
    Hope this helps to clarify the discussion about any document 
    
    -éric
    
    [1] please note the quotes around 'break AH' as it is rather 'prevent the use of AH in transport mode' in most current discussions.
    
    --------------------------------------------------------------------
    IETF IPv6 working group mailing list
    ipv6@ietf.org
    Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!X2VjiYp3XWEkmttsP8laiCcY8IDXlZ2c_vkPL7caKbCLg5XRwm1VMWeYjSV4doxx$ 
    --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email