[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-dommety-gre-ext-02.txt in iesg

To: Randy Bush <randy@psg.com>, gre list <gre@ops.ietf.org>, "'Gopal Dommety'" <gdommety@cisco.com>
Subject: RE: draft-dommety-gre-ext-02.txt in iesg
From: "Casati, Alessio (Alessio)" <acasati@lucent.com>
Date: Sun, 4 Jun 2000 22:54:05 +0100
Delivery-date: Sun, 04 Jun 2000 14:54:20 -0700
Envelope-to: gre-data@psg.com

>  <<Death to AH? (was: Reasons for AH & ESP )>> 
> 
Since you seem to have found a use of AH, probably it would be a good thing
to tell IPSEC folks you need it. There seems to be some push to make it
historical...


alessio


> Are you saying this because the attcker can send bogus IP sec packets and
> so
> we cannot prevent the attack?
> 
> 
> 
> >There's no way for IPSec AH as spec'd now to 
> >protect the GRE header (unless I have missed some extension to allow
> >an AH header outside the outermost IP header).
> 
> If we assume that the delivery protocol is IP then
> 
> 
> BEFORE APPLYING AH
> 
> the packet will look like 
> 
>     IP hdr | GRE header| Payload
> 
> AFTER APPLYING AH  (example transport mode)
>  
>     IP hdr | AH | GRE header| Payload
> 
> Entire packet other than the mutable feilds are authenticated.  ESP will
> also work.
> 
> Please let me know you do not agree. I will add text and references to AH
> and ESP RFCs.
> 
> 
>

To: "Steven M. Bellovin" <smb@research.att.com>, Paul Lambert <Paul.Lambert@cosinecom.com>
Subject: Death to AH? (was: Reasons for AH & ESP )
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Fri, 2 Jun 2000 19:28:44 +0100
Cc: ipsec@lists.tislabs.com, KokMing <km.ang@student.qut.edu.au>

At 09:09 AM 6/1/2000 -0400, Steven M. Bellovin wrote:

>Some of us have argued against AH for years --
>I still have a note I sent in 1995 detailing its uselessness.  But I
>see no consensus to re-open the question; I certainly don't intend to
>lead any charge to delete it from the spec as we move towards Draft
>Standard.  (Admittedly, I have considered such an effort, but I don't
>think enough people or views have changed to make it worthwhile, and
>I'd rather not stir up pointless controversy.)

I might think the first step toward that is to poll this diverse group to 
see if anyone is deploying AH and could not use ESP NULL instead.

I am all for a rough concensus that will change the IPsec/IKE standards to 
list AH as a Historical protocol that should not be implemented anymore.

I suspect that a number of vendors only have it in their product for the 
'check box' syndrome.

I would also be interested in a lively debate by IPv6 knowedgeable 
engineers that can couner Steve B's concerns on the real value of AH to v6.

However, I might point out that some vendors have had their ICSA 
certification delayed while they hustled to add the NULL encryption to 
their ESP implementation.  Like they never read our criteria before product 
submission.  Speaking on NULL, it is also sad on the number of vendors that 
implemented it with a key length of ZERO.  That is in IKE they explicitely 
specified the key length as ZERO.

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

Prev by Date: Re: draft-dommety-gre-ext-02.txt in iesg
Next by Date: RE: draft-dommety-gre-ext-02.txt in iesg
Prev by thread: Re: draft-dommety-gre-ext-02.txt in iesg
Next by thread: RE: draft-dommety-gre-ext-02.txt in iesg
Index(es):
- Date
- Thread