Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 03 March 2020 15:44 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9876A3A2296 for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 07:44:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=G8wlcBfW; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=b1zVYGox
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtDrU2v76A9H for <ipv6@ietfa.amsl.com>; Tue, 3 Mar 2020 07:44:43 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00ADA3A08D3 for <ipv6@ietf.org>; Tue, 3 Mar 2020 07:44:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14333; q=dns/txt; s=iport; t=1583250283; x=1584459883; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ewORSLP6j4hlU/t5s+zP3fzY0an1e4S3wEP7M3v9gio=; b=G8wlcBfWTRXW68rFOOJ8Uwq/MOvm3UIORsp62tMQjIYPelWeiQTjmiA9 PjrptriJte57xUYGsh6aXnsy8BodcSjKCeqI0Qv3Zwt2Mdsba7bPr0aC+ Wf/PBA/mx0u1PDO00E4Fj+Htv/UlSpM5zHVBDB4Wolkcf/FpNIagKx6B5 U=;
IronPort-PHdr: 9a23:KAEeVB2Yiqd3gcbPsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQBFPqKvXpYgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CuCwB7el5e/51dJa1lHAEBAQEBBwEBEQEEBAEBgXuBJS8kLAVsWCAECyoKhAqDRgOKZ4JfiWOJUIRiglIDVAkBAQEMAQEYAQoKAgQBAYRAAheBZSQ4EwIDAQELAQEFAQEBAgEFBG2FVgyFYwEBAQEDAQEQER0BASwLAQ8CAQgRAwECKAMCAgIfBgsUCQgCBA4FGQmDBAGBfU0DLgEDC6FLAoE5iGJ1gTKCfwEBBYJEgkwNC4IMAwaBOIwlGoFBP4ERJyCCHy4+gQSBF0kBAQKBKlkNCYJbMoIKIo1xgnWFcJkGRAqCPJIwhDYcgkmIH5BJkD+JXpAgAgQCBAUCDgEBBYFpIoFYcBU7KgGCQVAYDY4dGINbhRSFQXQCgSeMf4EzAYEPAQE
X-IronPort-AV: E=Sophos;i="5.70,511,1574121600"; d="scan'208,217";a="736150541"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Mar 2020 15:44:42 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 023FifU5010718 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Mar 2020 15:44:41 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 09:44:41 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 09:44:41 -0600
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 09:44:41 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JsdaBt5Ii0v+c3X74SpxsGegFapNMR4dVnXSjgLYXKTT2xq7fxQVkU3oiiNZP80Uarn2LEC1HLG/bdXJ8vCHFtlUWvriwtSHBdIopi9UaYGnCSpFi2eX3lyCrz14j8eU0kj58etSAFKJCiNJQvmk+XtR224Fmhym8m1buphoiSC58WM23n7NRMkOOgO3gdVMId2i8GDFv/8sefio+Fk59Dd5F8oGD+X15ria1/pCJW94nAtMvMeLBIbXdL3fhA1MuHl7ahew0DzM9q0wqhC/qDBhMkYSRNEdQ5GWJ1DhVXc4HThE3ZwmmvPwixoCtl8zWP+zGzeX5Dib7vcVEagVyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=ewORSLP6j4hlU/t5s+zP3fzY0an1e4S3wEP7M3v9gio=; b=L2izBjYynF/g/UbfxxI+wTdEhvPstvZZXaRVI2uI9llHvFTAVMoEySrbhD6b18QXvnAV4KFfT8FlK7g1DF8kgk9QhQexl4oypCRwec47sv85iFyfRsplOZ/5QOf45m5SpZ6WZE01vOK9W7phsYYJ5UppQIgDBvUpOAlmDE0OIN6cCMbas++wUnY5qrigxrhanyuAWdBk3KIosJ8Sa13HgLF48ySCzrmlE4V1QZ3Zf5UkvWO6BmiVeFemwXlwhNKP2jruyENJ4mxNgiafclxJFollDglo6fuBPjT3afPSyf23e7IglWqCVPekSFUNTMwkzlCqHBceQrQkG0p9kzi0ZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ewORSLP6j4hlU/t5s+zP3fzY0an1e4S3wEP7M3v9gio=; b=b1zVYGoxNLqOVaFSk1rKYwiSvx1keILMu0u9UIMR/nF8HtLZUNPBdeNeEvodtW6Y0WMqWsqJj8TvPYgJ0IvbewVf7lDcauQF8FV1DRI9ZbH31bXTwyzRbzo5e4bextnIX6LNirh6hJEhDItSBA3sQf1NHcJdgt6NQppYxllZyjY=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1452.namprd11.prod.outlook.com (2603:10b6:4:9::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15; Tue, 3 Mar 2020 15:44:40 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2772.019; Tue, 3 Mar 2020 15:44:40 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Tom Herbert <tom@herbertland.com>
CC: 6man <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>
Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Topic: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933))
Thread-Index: AQHV8Ttb6lqk8pZ6uEe3vsAxG6KR06g2/U+AgAAWSYA=
Date: Tue, 03 Mar 2020 15:44:40 +0000
Message-ID: <71E2874B-16A0-41C0-BA20-C7F6BAED466E@cisco.com>
References: <FE156CF2-3C58-43A3-A858-E25FE38C322B@cisco.com> <CALx6S36uEvkJdGNvJSTH4a5s1UU-eYTEDHBAL7r6T47gwt+mUA@mail.gmail.com>
In-Reply-To: <CALx6S36uEvkJdGNvJSTH4a5s1UU-eYTEDHBAL7r6T47gwt+mUA@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [81.250.143.113]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2f72169-5a6e-468c-59c8-08d7bf89c921
x-ms-traffictypediagnostic: DM5PR11MB1452:
x-microsoft-antispam-prvs: <DM5PR11MB145277C6B8438E96984B2325A9E40@DM5PR11MB1452.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(366004)(39860400002)(376002)(396003)(199004)(189003)(4326008)(2616005)(15650500001)(8676002)(5660300002)(81156014)(81166006)(66446008)(2906002)(64756008)(26005)(66476007)(66556008)(66946007)(6916009)(186003)(91956017)(478600001)(76116006)(71200400001)(316002)(6512007)(53546011)(8936002)(33656002)(54906003)(966005)(36756003)(86362001)(6486002)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1452; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pa4KGvimCpeKyzzbGnocPLis8imPhdy/ZJsHGMQlZxvOPoEfNV0mjshQv8lG2iThVG2mujmPHS+VXQgTtPwyxMdIGen3d3CDuBIOmYnVH+9iGhFrItd8YlA7oLH3F8LE7cW3C889KUPpxmu01A3KZXLArfR5Qhl3T3BrOEasquHju3ZVmoBTNSb+HqTK5TD91pVVH6ozF8YvogOVuLySIz1BqPEQH6mSH6+77cfiyzHZZu4NRamP/FXASQoN+q94Q/T0fWQ6Kx7X6dv052pm2r17UhDMEdq3XCQfQ8eePy3p05RB3Z3oRdJBOjcQ4WB7WoWJwBTEa03MIdKbEWnIf93zjjEWnMjyMkpw5DJTBJho86PACiT1JrxcRrhw87FCYHCIGbj63eUg52VF5gtiHBf4qnzfB7j3vl34a2eTiBPlaAfJR2qQizEvcW3UboBJqHA8xqUwT0qreQBqg0TSfWUOboiJ7RJj9UcWZpUDiFmDxithIsX2a/QYcj9xLdB9pmhQvR4ztibCxA9cp+mygA==
x-ms-exchange-antispam-messagedata: MFoubO3GXD8tIfvAVxZ18GAgwpVRytuEQtj/1qD79ATm+nfxMPKip+MPDeg08ePfBowTn68uw4nPteFiRWilDXbSgWwZcAvy/+t2LVHD2HjVEktmurk+vkxmyhuo2D9K/GIujPzDk+OjmiSVw8YLCg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_71E2874B16A041C0BA20C7F6BAED466Eciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b2f72169-5a6e-468c-59c8-08d7bf89c921
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 15:44:40.1015 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AsVbST49Q4jRvonE+al10ZUKD0TVAWpsZL/0PxSG5W5uFdWlANG2pYbDu7KpfC2uaxlu4PJnMYDuf/fIma8DRQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1452
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/w2tWEuhKb1JwqrtSp6_bjhkA7Yo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 15:44:46 -0000
Tom, I do not think that I wrote the SRH "breaks AH" because it does not. The only section of the SRH document about AH is whether AH could possibly be used to secure the integrity and authentication of SRH itself. In short, I agree with you that SRH does not "break SRH" ;-) -éric From: Tom Herbert <tom@herbertland.com> Date: Tuesday, 3 March 2020 at 16:25 To: Eric Vyncke <evyncke@cisco.com> Cc: 6man <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com> Subject: Re: About AH (was Re: [Errata Held for Document Update] RFC8200 (5933)) On Tue, Mar 3, 2020, 1:09 AM Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote: Without any hat except the hat of an individual contributor having spent many years in IPsec and in IPv6 within the IETF and with real life deployments. As there are some discussions about 'breaking AH' [1], here are some further points: - some IETF RFC also exclude AH in transport mode: e.g., all NAT64 (including MAP-* as they do NAT44) - IPsec RFC 4301 specifies a MAY for AH and a MUST for ESP, see section 3.2 "IPsec implementations MUST support ESP and MAY support AH. " - RFC 8504 (IPv6 nodes requirements) make the support of IPsec as a SHOULD in section 13.1 IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'. Eric, AH operation is not defined in SRH, and its use may be defined in future documents. There is nothing inherent in SRH that prevents defining correct operation (other types of routing header support AH). Deferring work on AH and SRH seems to have mostly been done out if expediency to move the draft forward in the WG. So SRH doesn't break AH, however SRH inserting/deletion would break it as pointed out already. Finally, I have spent 10+ years designing and deploying IPsec VPNs and very few of them were using AH and when using AH it was in tunnel mode (except OSPFv3) and until ESP was extended to have authentication. That's anecdotal. I could just as easily point out that after five years of SR there's no deployment or even a correct implementation of SRH HMAC option which is supposed to be substitute for AH. Tom Hope this helps to clarify the discussion about any document -éric [1] please note the quotes around 'break AH' as it is rather 'prevent the use of AH in transport mode' in most current discussions. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org<mailto:ipv6@ietf.org> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- About AH (was Re: [Errata Held for Document Updat… Eric Vyncke (evyncke)
- RE: About AH (was Re: [Errata Held for Document U… Ron Bonica
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Eric Vyncke (evyncke)
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Michael Richardson
- Re: About AH (was Re: [Errata Held for Document U… Brian E Carpenter
- Re: About AH (was Re: [Errata Held for Document U… Nick Hilliard
- Re: About AH (was Re: [Errata Held for Document U… Tom Herbert
- Re: About AH (was Re: [Errata Held for Document U… Mark Smith