[saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standards
Tero Kivinen <kivinen@iki.fi> Mon, 30 December 2024 08:59 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C72C14CF13 for <saag@ietfa.amsl.com>; Mon, 30 Dec 2024 00:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0jo-o32PJnG for <saag@ietfa.amsl.com>; Mon, 30 Dec 2024 00:59:49 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A878C14CEFC for <saag@ietf.org>; Mon, 30 Dec 2024 00:59:49 -0800 (PST)
Received: from fireball.acr.fi (unknown [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4YM95r6Kvdz49Pyv; Mon, 30 Dec 2024 10:59:44 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1735549185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PlFe8zkXaLK0xQuS+unmymazag0z6lhqPlxE4loFytA=; b=d629oMfwzvTvE9DfziWmINhbExrgAw4Chgo//8XHzBKJ2tXPr11gtmTwHfN4OKGDWA6DCN orV2y76T35Za4UAD/4K1x98eUh7hNF9gdXQ+fd6A0ETjoZuGzrUN42WVxSxOGwP4yQhRZo korwnvFq2WHVCM2DiJhdISgnBEsUI8XubCx7UKc3ECToX20oiBgI04ylM82ZVuKALzp4d2 8FJ4i3gTdJEWsKrOh0UtbaO/DGExBqnWPo7hRZrSgA4GPJ/V3yWmUDxFMe/wONddrOqc8B Xjt/dt6Xbu7G019awL6x+8NoP56HwIN3s09HVXPXESWSRXm0EP0aY1QFaJBv2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1735549185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PlFe8zkXaLK0xQuS+unmymazag0z6lhqPlxE4loFytA=; b=PLteebXW3326TGg6WUnpX50gn8vK2NfP1ef4ea9X/Y+39LcHxmFnjAJ25faCCjKDB9BRwD 75OUoJl1YcE8i4mxsgg1pT3/uogV8ezNHXXzKnI3yid3rGkz0xGRrs1j9IHGYg+5/X04Al 9hvv3qSbP/5rF4lmvZ2y4J9aZokrtE0vnRAoTxrxBKcXOoISu/eK2Q1J+FOh1b9uFcOm/F 6C1tcUd0u1PM8By5TlDu8AXOyY6srDY9gUzcHmrbgl7uLdozqXfgqOeYfWDpacxrhUCoKt PojC3lqTltkDJIbelx9si5mKe5mzVpF0me0jSwqCVL2qjNDz4R04PzLJkETmMg==
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1735549185; a=rsa-sha256; cv=none; b=GZnMfbviHQWLJ+5xFdztlCyOBwxVzS6p8xrnWCBd64B1Nk7H8606sswaWCLxgc7etFJGg8 zbcIDgAQWa9b5kgsciaLeJU+RcDCqo3rtPFoy34mJohCO27O28bVyaiKgDElvsROPz8sXt r/1qDszR4ziMLc5EUEVOm3Yt+Hk5t+DH6UvM27cfFonSFOhq0+sjYNAxpn0cdiQfHtRgXW xycUZxgxBMlFde1JUT5/da15bzVem9UL5FAAGWXZ4fSJH+T7bb1FTO6ADEj5Bf6CBUGsXs +15pqxK0Wvh/JOHrZn/pcn5fWNiwKyvQmY5IFcHXapZBkOpURgj5+PgvHx2J7w==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
Received: by fireball.acr.fi (Postfix, from userid 15204) id A681025C1328; Mon, 30 Dec 2024 10:59:44 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <26482.24832.629631.26489@fireball.acr.fi>
Date: Mon, 30 Dec 2024 10:59:44 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwgcRjsdXBE1=dEHkP1qKd9DxMAjxxSL+8G8AQfwS9sk4Q@mail.gmail.com>
References: <GVXPR07MB9678085DBA938C8FCE6CE9DE89382@GVXPR07MB9678.eurprd07.prod.outlook.com> <m2pllv79sn.wl-randy@psg.com> <CAMm+LwgcRjsdXBE1=dEHkP1qKd9DxMAjxxSL+8G8AQfwS9sk4Q@mail.gmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 5 min
X-Total-Time: 5 min
Message-ID-Hash: T3UZANGJ3Z3TWFTFO4Z25TYMUE747APC
X-Message-ID-Hash: T3UZANGJ3Z3TWFTFO4Z25TYMUE747APC
X-MailFrom: kivinen@iki.fi
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "rfc-interest@rfc-editor.org" <rfc-interest@rfc-editor.org>, IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standards
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IJUAiH2pyfkg43_L6483Ljq6UPk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>
Phillip Hallam-Baker writes: > IPSEC as defined in the standards is completely useless because it > doesn't work through NAT. And I remember the two Security ADs > chuckling that it was a feature not a bug. (I assume you mean IPsec?) IPsec NAT Traversal using UDP encapsulation was standardized in 2005 for the original IKEv1, and the IKEv2 (standardied in 2005) had that built in from the beginning. And yes there is still AH that is explictly authenticating the IP headers which is not compatible with the NATs, as AH is trying to detect when someone modifies the IP header, and there it is feature not a bug. But if you do not want to verify the IP header then you can use ESP instead and that do provide NAT traversal. -- kivinen@iki.fi
- [saag] FW: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: FW: New Version Notification for draft… Simon Josefsson
- [saag] Re: New Version Notification for draft-rsa… Simon Josefsson
- [saag] Re: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: New Version Notification for draft-rsa… Tero Kivinen
- [saag] Re: New Version Notification for draft-rsa… Damien Miller
- [saag] Re: New Version Notification for draft-rsa… Simon Josefsson
- [saag] Re: New Version Notification for draft-rsa… Tero Kivinen
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Michael Richardson
- [saag] Re: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: New Version Notification for draft-rsa… Stephen Farrell
- [saag] Re: New Version Notification for draft-rsa… Peter Gutmann
- [saag] Re: New Version Notification for draft-rsa… Michael Richardson
- [saag] Re: New Version Notification for draft-rsa… Peter Gutmann
- [saag] Re: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Michael Richardson
- [saag] Re: New Version Notification for draft-rsa… Watson Ladd
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… D. J. Bernstein
- [saag] Re: New Version Notification for draft-rsa… Salz, Rich
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Watson Ladd
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Watson Ladd
- [saag] Re: New Version Notification for draft-rsa… D. J. Bernstein
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: New Version Notification for draft-rsa… Randy Bush
- [saag] Re: New Version Notification for draft-rsa… Michael Jones
- [saag] Re: New Version Notification for draft-rsa… Randy Bush
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Alan DeKok
- [saag] Re: New Version Notification for draft-rsa… D. J. Bernstein
- [saag] Re: New Version Notification for draft-rsa… Damien Miller
- [saag] Re: New Version Notification for draft-rsa… Eric Rescorla
- [saag] Re: New Version Notification for draft-rsa… Stephen Farrell
- [saag] Side-comment: SSH issues (was: New Version… Peter Gutmann
- [saag] Re: New Version Notification for draft-rsa… Eric Rescorla
- [saag] Re: New Version Notification for draft-rsa… Stephen Farrell
- [saag] Re: New Version Notification for draft-rsa… Simon Josefsson
- [saag] Re: New Version Notification for draft-rsa… Simon Josefsson
- [saag] RFCs vs Standards Michael Richardson
- [saag] Re: New Version Notification for draft-rsa… D. J. Bernstein
- [saag] Re: New Version Notification for draft-rsa… Eric Rescorla
- [saag] Re: RFCs vs Standards Stephen Farrell
- [saag] Re: RFCs vs Standards John Mattsson
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Peter Gutmann
- [saag] Re: RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] Re: RFCs vs Standards Salz, Rich
- [saag] Re: [rfc-i] RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] RFCs vs Standards Eliot Lear
- [saag] Re: [rfc-i] RFCs vs Standards Salz, Rich
- [saag] Re: [rfc-i] RFCs vs Standards Tim Bray
- [saag] Re: [rfc-i] RFCs vs Standards StJohns, Michael
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Brian E Carpenter
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: New Version Notification for draft-rsa… Paul Wouters
- [saag] Re: [rfc-i] RFCs vs Standards Eric Rescorla
- [saag] Re: [rfc-i] Re: RFCs vs Standards Brian E Carpenter
- [saag] Re: [rfc-i] RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] RFCs vs Standards Eric Rescorla
- [saag] Re: New Version Notification for draft-rsa… Peter Gutmann
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Joel Halpern
- [saag] Re: [rfc-i] RFCs vs Standards Behcet Sarikaya
- [saag] Re: New Version Notification for draft-rsa… Eric Rescorla
- [saag] Re: [rfc-i] Re: RFCs vs Standards Brian E Carpenter
- [saag] Re: New Version Notification for draft-rsa… Eliot Lear
- [saag] Re: [rfc-i] RFCs vs Standards Salz, Rich
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Salz, Rich
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Martin Thomson
- [saag] Re: [rfc-i] RFCs vs Standards Michael Richardson
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Alan DeKok
- [saag] Re: [rfc-i] RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] RFCs vs Standards Salz, Rich
- [saag] Re: [rfc-i] Re: RFCs vs Standards Watson Ladd
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Simon Josefsson
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards S Moonesamy
- [saag] Re: [rfc-i] RFCs vs Standards Eliot Lear
- [saag] Re: [rfc-i] RFCs vs Standards Eric Rescorla
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Eric Rescorla
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Joel Halpern
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards John Mattsson
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Randy Bush
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Randy Bush
- [saag] Re: [rfc-i] Re: Re: RFCs vs Standards Carsten Bormann
- [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standa… Phillip Hallam-Baker
- [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standa… Eric Rescorla
- [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standa… Tero Kivinen
- [saag] Re: [rfc-i] Re: Re: Re: Re: Re: RFCs vs St… touch@strayalpha.com
- [saag] Re: [rfc-i] Re: Re: Re: Re: RFCs vs Standa… Phillip Hallam-Baker