ipsec January 2012 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Avoiding Authentication Header (AH)

Re: [IPsec] Avoiding Authentication Header (AH)

From: Bhatia, Manav (Manav) <manav.bhatia_at_nospam>
Date: Tue Jan 03 2012 - 00:36:05 GMT
To: Nico Williams <nico@cryptonector.com>, RJ Atkinson <rja.lists@gmail.com>

Hi Nico,

http://tools.ietf.org/html/draft-bhatia-ipsecme-avoiding-ah-00 is NOT trying to move AH to Historic.

Its merely trying to discourage newer applications and protocols from mandating AH as the same level of security can be achieved with ESP-NULL. The draft also says:

   It however, does not preclude the possibility of new
   work to IETF that will require or enhance AH. It just means that the
   authors will have to explain why that solution is really needed and
   the reason why ESP with NULL encryption algorithm cannot be used
   instead.

I had initially published an Informational draft till a few folks pointed out that it could be a BCP.

Cheers, Manav

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Nico Williams
Sent: Tuesday, January 03, 2012 5:59 AM
To: RJ Atkinson
Cc: IPsec ME WG List
Subject: Re: [IPsec] Avoiding Authentication Header (AH)

On Mon, Jan 2, 2012 at 3:11 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
> I gave a list earlier of a number of different scenarios where and
> reasons why AH is used. A subset of that list:
> - ESP null does not protect options/optional headers.

ESP in tunnel mode is supposed to be the replacement for AH, and gets you this.

> - ESP null cannot reliably be parsed past.

WESP is supposed to provide this.

Would tunnel mode be too expensive for new protocols that need integrity protection of outer headers?

In any case, if there's no way to remove AH support from existing implementations any time soon, then there's not much benefit to moving AH to Historic either. And it's clear that the controversy that has arisen will take a fair bit of energy to resolve. It may be best to simply publish an Informational RFC providing advice on what new protocols that say "use IPsec" should do.

Nico
-- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec