[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to

To: Dan McDonald <danmcd@Eng.Sun.Com>
Subject: Re: Last Call: Security Architecture for the Internet Protocol to
From: Steve Bellovin <smb@research.att.com>
Date: Fri, 27 Mar 1998 13:35:57 -0500
cc: baiju.v.patel@intel.com (Patel, Baiju V), peterf@microsoft.com, iesg@ns.ietf.org, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

	One of the biggest reasons we have AH is because there _are_
	some things in the middle of the "IP header" that need to be
	authenticated for them to be simultaneously safe and useful.
	The biggest example of this is source routing.

In my opinion -- and I've posted this before -- there's nothing in the
IP header that's both interesting and protected.  You can't protect the
source routing option, since the next-hop pointer changes en route.
Appendix A of the AH draft recognizes that, and lists it as 'mutable --
zeroed'.

When you look over the list of IP header fields and options that are
either immutable or predictable, you find that the only things that are
really of interest are the source and destination addresses and the
security label.  To the extent that we want to protect the addresses --
a point that's very unclear to me -- they're bound to the security
association.  The security label certainly should be.  If you're using
security labels (almost no one does) and you don't have the facilities
to bind it at key management time, use tunnel mode and be done with it.

	I'll admit that I've never been in the operations business, but
	I've been told that source routing is a very useful tool for
	diagnosing some classes of problems.  AH allows source routing
	to be useful again w/o opening the holes it opens.

Well, yes, but not for the reason you specify.  The problem with source
routing is that it makes address-spoofing trivial.  With AH, people
will either verify certificate names -- the right way to do things --
or they'll bind a certificate to the source address, and use AH to
verify the legitimacy of it.  The route specified has nothing to do
with it, and ESP with null encryption does the same thing.

I don't like AH, either in concept or design (and in particular I don't
like the way it commits layer violations).  Its only real use, as I see
it, is to answer Greg Minshall's objections -- it leaves the port
numbers in the clear, and visible in a context-independent fashion.
With null encryption, the monitoring station has to know that that was
selected.  But I'm very far from convinced that these issues are
important enough to justify AH.

All that notwithstanding, this is not a new issue.  We've been over
this ground before in the working group.  Several of us, myself
included, suggested deleting AH.  We lost.  Fine; so be it.  Let's ship
the documents and be done with it.

Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by Date: RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Do we need ?
Index(es):
- Main
- Thread