[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-dommety-gre-ext-02.txt in iesg

To: "Casati, Alessio (Alessio)" <acasati@lucent.com>, Randy Bush <randy@psg.com>, gre list <gre@ops.ietf.org>
Subject: RE: draft-dommety-gre-ext-02.txt in iesg
From: Gopal Dommety <gdommety@cisco.com>
Date: Mon, 05 Jun 2000 10:08:33 -0700
Delivery-date: Mon, 05 Jun 2000 10:04:54 -0700
Envelope-to: gre-data@psg.com

At 10:54 PM 04/06/00 +0100, Casati, Alessio (Alessio) wrote:
>>  <<Death to AH? (was: Reasons for AH & ESP )>> 
>> 
>Since you seem to have found a use of AH, probably it would be a good thing
>to tell IPSEC folks you need it. There seems to be some push to make it
>historical...
>
Alessio,

	ESP will also serve the purpose. 

-Gopal
 

>
>alessio
>
>
>> Are you saying this because the attcker can send bogus IP sec packets and
>> so
>> we cannot prevent the attack?
>> 
>> 
>> 
>> >There's no way for IPSec AH as spec'd now to 
>> >protect the GRE header (unless I have missed some extension to allow
>> >an AH header outside the outermost IP header).
>> 
>> If we assume that the delivery protocol is IP then
>> 
>> 
>> BEFORE APPLYING AH
>> 
>> the packet will look like 
>> 
>>     IP hdr | GRE header| Payload
>> 
>> AFTER APPLYING AH  (example transport mode)
>>  
>>     IP hdr | AH | GRE header| Payload
>> 
>> Entire packet other than the mutable feilds are authenticated.  ESP will
>> also work.
>> 
>> Please let me know you do not agree. I will add text and references to AH
>> and ESP RFCs.
>> 
>> 
>> 
>Message-ID: <4.3.2.7.2.20000602141843.045af6b0@homebase.htt-consult.com>
>From: Robert Moskowitz <rgm-sec@htt-consult.com>
>To: "Steven M. Bellovin" <smb@research.att.com>, Paul Lambert
>	<Paul.Lambert@cosinecom.com>
>Cc: ipsec@lists.tislabs.com, KokMing <km.ang@student.qut.edu.au>
>Subject: Death to AH? (was: Reasons for AH & ESP )
>Date: Fri, 2 Jun 2000 19:28:44 +0100 
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Content-Type: text/plain;
>	charset="iso-8859-1"
>
>At 09:09 AM 6/1/2000 -0400, Steven M. Bellovin wrote:
>
>>Some of us have argued against AH for years --
>>I still have a note I sent in 1995 detailing its uselessness.  But I
>>see no consensus to re-open the question; I certainly don't intend to
>>lead any charge to delete it from the spec as we move towards Draft
>>Standard.  (Admittedly, I have considered such an effort, but I don't
>>think enough people or views have changed to make it worthwhile, and
>>I'd rather not stir up pointless controversy.)
>
>I might think the first step toward that is to poll this diverse group to 
>see if anyone is deploying AH and could not use ESP NULL instead.
>
>I am all for a rough concensus that will change the IPsec/IKE standards to 
>list AH as a Historical protocol that should not be implemented anymore.
>
>I suspect that a number of vendors only have it in their product for the 
>'check box' syndrome.
>
>I would also be interested in a lively debate by IPv6 knowedgeable 
>engineers that can couner Steve B's concerns on the real value of AH to v6.
>
>However, I might point out that some vendors have had their ICSA 
>certification delayed while they hustled to add the NULL encryption to 
>their ESP implementation.  Like they never read our criteria before product 
>submission.  Speaking on NULL, it is also sad on the number of vendors that 
>implemented it with a key length of ZERO.  That is in IKE they explicitely 
>specified the key length as ZERO.
>
>
>
>Robert Moskowitz
>ICSA
>Security Interest EMail: rgm-sec@htt-consult.com

Prev by Date: RE: draft-dommety-gre-ext-02.txt in iesg
Next by Date: Re: draft-dommety-gre-ext-02.txt in iesg
Prev by thread: RE: draft-dommety-gre-ext-02.txt in iesg
Next by thread: Re: draft-dommety-gre-ext-02.txt in iesg
Index(es):
- Date
- Thread