[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH? (was: Reasons for AH & ESP )
>>>>> "Robert" == Robert Moskowitz <rgm-sec@htt-consult.com> writes:
Robert> At 09:09 AM 6/1/2000 -0400, Steven M. Bellovin wrote:
>> Some of us have argued against AH for years -- I still have a note
>> I sent in 1995 detailing its uselessness. But I see no consensus
>> to re-open the question; I certainly don't intend to lead any
>> charge to delete it from the spec as we move towards Draft
>> Standard. (Admittedly, I have considered such an effort, but I
>> don't think enough people or views have changed to make it
>> worthwhile, and I'd rather not stir up pointless controversy.)
Robert> I might think the first step toward that is to poll this
Robert> diverse group to see if anyone is deploying AH and could not
Robert> use ESP NULL instead.
Ok, here's one data point. The Lucent (formerly Xedia) Access Point
IPsec implementation uses ESP Null; it does not support AH.
(One reason is the extreme pain encounted when doing AH with IPcomp
using a hardware accelerator, btw.)
Robert> I am all for a rough concensus that will change the IPsec/IKE
Robert> standards to list AH as a Historical protocol that should not
Robert> be implemented anymore.
I know this was attempted about 2 years ago at a Chicago IETF meeting
and failed there (on something vaguely resembling a tie vote).
Perhaps in the light of more widespread implementation experience we
can have a different outcome.
Robert> I would also be interested in a lively debate by IPv6
Robert> knowedgeable engineers that can couner Steve B's concerns on
Robert> the real value of AH to v6.
I would too, because I share Steve B's doubts. It would be good if
anyone who feels differently could specifically address the issues
Steve raised.
Robert> However, I might point out that some vendors have had their
Robert> ICSA certification delayed while they hustled to add the NULL
Robert> encryption to their ESP implementation.
Fortunately it is easy, except for the somewhat confusing pad rules...
Robert> .... Speaking on NULL, it
Robert> is also sad on the number of vendors that implemented it with
Robert> a key length of ZERO. That is in IKE they explicitely
Robert> specified the key length as ZERO.
Or rather, it is sad that IKE insists this is illegal. The "be strict
on transmit, tolerant on receive" principle would say that for a
cipher with a fixed length key you could either omit the length or
include it, but if you include it, it has to be the single permitted
value.
paul
References: