Re: AH Last Call complaint: No source route protection in IPv4!

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Dan" == Dan McDonald <danmcd@Eng.Sun.Com> writes:

    Dan> Hello!

    Dan> Mohan and I have were going over the latest batches on the IPsec
    Dan> mailing list about AH, and we realized that there is something
    Dan> missing from the current AH draft:

    Dan> IPv4 SOURCE ROUTING IS NOT PROTECTED BY AH IN ITS CURRENT REVISION.

    Dan> Thanks to Steve Bellovin for pointing out that it is not currently
    Dan> included in AH.  This is a big mistake (IMHO), because source routes
    Dan> in IPv4 _can_ be predicted with the same reliability that the type 0
    Dan> routing header in IPv6 can.

  It was originally protected in the RFC transforms. We realized a
snag when implementing it, which was brought up at the Detroit interop, and I
think later caused it to be removed again from the drafts.

    Dan> followups to it as far as I could tell.  BTW, this is from the
    Dan> archives at ftp.ans.net, before IPsec moved to its current home
    Dan> @tis.com.

  Thank you for the pointer. I am adding this to
http://www.sandelman.ottawa.on.ca/ipsec in MHonArc format.

    Dan> Please note that the thinking at the time was based on deployed
    Dan> implementations of routers.  I've looked at our code and BSD, and
    Dan> they both do the predictable thing in their forwarding path.  I'd
    Dan> appreciate any verification by major router vendors.
 
  My reading of BSD code says that Ran's note is correct. What is your notion?

    Ran> It turns out that the way one might read LSRR's specification is not
    Ran> the way it has been implemented in most systems that implement it.
*   Ran> It has been implemented so that the addresses recorded are NOT the
*   Ran> arriving interfaces of the listed intermediate systems but instead
*   Ran> the next-hop after leaving each listed intermediate system.  This
*   Ran> last isn't predictable in the general case.  I can see both
    Ran> interpretations in the text of RFC-791, but what matters is what has
    Ran> been implemented.

    Ran> Similarly, SSRR originally lists the inbound address of each
    Ran> intermediate hop but records the outbound address of each
    Ran> intermediate hop (at least in real world implementations).  Again,
    Ran> this makes SSRR unpredictable in the general case.  RFC-791 does
    Ran> appear to say this upon re-reading, but it is too subtly worded for
    Ran> my taste.

  ...

    Ran> Bill, Craig, and I think we have a compromise position on IPv4 AH
    Ran> processing.  At least one router vendor that Bill talks with has
    Ran> also agreed that this is reasonable.  I am altering the freely
    Ran> distributable NRL implementation to reflect this compromise.

  This suggests that we can now do AH over source routing?

   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
   Michael Richardson |Network and security consulting and contract programming
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 








-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNR00HtiXVu0RiA21AQFZLwMAjd3TU4FsvdO7560qLLz5ljJEeJrG0JJ/
3b35D1ENpmn7mgbpIunvCJM1prBE3Cvf/Fth6Df0hp+xy7AMsqA8ubKQijlRn+D0
QjTClYxCackMG5a9O+9FcNTMWRE+BnB+
=KAUq
-----END PGP SIGNATURE-----

---

References:

• AH Last Call complaint: No source route protection in IPv4!
• From: Dan McDonald <danmcd@Eng.Sun.Com>

---

• Prev by Date: AH Last Call complaint: No source route protection in IPv4!
• Next by Date: ISAKMP SPI
• Prev by thread: AH Last Call complaint: No source route protection in IPv4!
• Next by thread: Re: AH Last Call complaint: No source route protection in IPv4!
• Index(es):
  • Main
  • Thread