[saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standards

Tero Kivinen <kivinen@iki.fi> Mon, 30 December 2024 08:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C72C14CF13 for <saag@ietfa.amsl.com>; Mon, 30 Dec 2024 00:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0jo-o32PJnG for <saag@ietfa.amsl.com>; Mon, 30 Dec 2024 00:59:49 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A878C14CEFC for <saag@ietf.org>; Mon, 30 Dec 2024 00:59:49 -0800 (PST)
Received: from fireball.acr.fi (unknown [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4YM95r6Kvdz49Pyv; Mon, 30 Dec 2024 10:59:44 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1735549185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PlFe8zkXaLK0xQuS+unmymazag0z6lhqPlxE4loFytA=; b=d629oMfwzvTvE9DfziWmINhbExrgAw4Chgo//8XHzBKJ2tXPr11gtmTwHfN4OKGDWA6DCN orV2y76T35Za4UAD/4K1x98eUh7hNF9gdXQ+fd6A0ETjoZuGzrUN42WVxSxOGwP4yQhRZo korwnvFq2WHVCM2DiJhdISgnBEsUI8XubCx7UKc3ECToX20oiBgI04ylM82ZVuKALzp4d2 8FJ4i3gTdJEWsKrOh0UtbaO/DGExBqnWPo7hRZrSgA4GPJ/V3yWmUDxFMe/wONddrOqc8B Xjt/dt6Xbu7G019awL6x+8NoP56HwIN3s09HVXPXESWSRXm0EP0aY1QFaJBv2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1735549185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PlFe8zkXaLK0xQuS+unmymazag0z6lhqPlxE4loFytA=; b=PLteebXW3326TGg6WUnpX50gn8vK2NfP1ef4ea9X/Y+39LcHxmFnjAJ25faCCjKDB9BRwD 75OUoJl1YcE8i4mxsgg1pT3/uogV8ezNHXXzKnI3yid3rGkz0xGRrs1j9IHGYg+5/X04Al 9hvv3qSbP/5rF4lmvZ2y4J9aZokrtE0vnRAoTxrxBKcXOoISu/eK2Q1J+FOh1b9uFcOm/F 6C1tcUd0u1PM8By5TlDu8AXOyY6srDY9gUzcHmrbgl7uLdozqXfgqOeYfWDpacxrhUCoKt PojC3lqTltkDJIbelx9si5mKe5mzVpF0me0jSwqCVL2qjNDz4R04PzLJkETmMg==
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1735549185; a=rsa-sha256; cv=none; b=GZnMfbviHQWLJ+5xFdztlCyOBwxVzS6p8xrnWCBd64B1Nk7H8606sswaWCLxgc7etFJGg8 zbcIDgAQWa9b5kgsciaLeJU+RcDCqo3rtPFoy34mJohCO27O28bVyaiKgDElvsROPz8sXt r/1qDszR4ziMLc5EUEVOm3Yt+Hk5t+DH6UvM27cfFonSFOhq0+sjYNAxpn0cdiQfHtRgXW xycUZxgxBMlFde1JUT5/da15bzVem9UL5FAAGWXZ4fSJH+T7bb1FTO6ADEj5Bf6CBUGsXs +15pqxK0Wvh/JOHrZn/pcn5fWNiwKyvQmY5IFcHXapZBkOpURgj5+PgvHx2J7w==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
Received: by fireball.acr.fi (Postfix, from userid 15204) id A681025C1328; Mon, 30 Dec 2024 10:59:44 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <26482.24832.629631.26489@fireball.acr.fi>
Date: Mon, 30 Dec 2024 10:59:44 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwgcRjsdXBE1=dEHkP1qKd9DxMAjxxSL+8G8AQfwS9sk4Q@mail.gmail.com>
References: <GVXPR07MB9678085DBA938C8FCE6CE9DE89382@GVXPR07MB9678.eurprd07.prod.outlook.com> <m2pllv79sn.wl-randy@psg.com> <CAMm+LwgcRjsdXBE1=dEHkP1qKd9DxMAjxxSL+8G8AQfwS9sk4Q@mail.gmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 5 min
X-Total-Time: 5 min
Message-ID-Hash: T3UZANGJ3Z3TWFTFO4Z25TYMUE747APC
X-Message-ID-Hash: T3UZANGJ3Z3TWFTFO4Z25TYMUE747APC
X-MailFrom: kivinen@iki.fi
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "rfc-interest@rfc-editor.org" <rfc-interest@rfc-editor.org>, IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standards
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IJUAiH2pyfkg43_L6483Ljq6UPk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Phillip Hallam-Baker writes:
> IPSEC as defined in the standards is completely useless because it
> doesn't work through NAT. And I remember the two Security ADs
> chuckling that it was a feature not a bug.

(I assume you mean IPsec?)

IPsec NAT Traversal using UDP encapsulation was standardized in 2005
for the original IKEv1, and the IKEv2 (standardied in 2005) had that
built in from the beginning.

And yes there is still AH that is explictly authenticating the IP
headers which is not compatible with the NATs, as AH is trying to
detect when someone modifies the IP header, and there it is feature
not a bug. But if you do not want to verify the IP header then you can
use ESP instead and that do provide NAT traversal.
-- 
kivinen@iki.fi