[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecation of AH header from the IPSEC tool kit

To: Michael Richardson <mcr@solidum.com>
Subject: Re: Deprecation of AH header from the IPSEC tool kit
From: Michael Thomas <mat@cisco.com>
Date: Wed, 14 Jun 2000 16:10:06 -0700 (PDT)
Cc: mat@cisco.com, Stephen.Waters@cabletron.com, ipsec@lists.tislabs.com, isis-wg@juniper.net, ospf@discuss.microsoft.com, ietf-rip@baynetworks.com
In-Reply-To: <200006142022.QAA15540@solidum.com>
References: <14663.48838.383043.113376@thomasm-u1.cisco.com><200006142022.QAA15540@solidum.com>
Sender: owner-ipsec@lists.tislabs.com

Michael Richardson writes:
 > 
 > >>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:
 >     Michael> Maybe you're misunderstanding me: if ESP had a bit which said
 >     Michael> "I'm protecting the outside headers too", it could be either
 >     Michael> signaled or potentially even done on an as-needed basis by the
 >     Michael> IPsec stack for IP headers which would otherwise require AH. I'm
 >     Michael> all for not protecting things that don't need protection
 >     Michael> otherwise.
 > 
 >   The point that Steve Bellovin keeps making, and which he has written about,
 > is that AH does not provide much more in the way of authentication that
 > ESP does not (at least for IPv4). The outer headers are all either
 > irrelevant, or can be derived from the SPD, so you don't have to trust them.
 
   That's true of v4 IP headers. Is it also true of v6 
   routing headers? Is it also true of all of the rest
   of the v6 headers? I appreciate Steve's argument on
   this, and I think they're valid -- for v4 IP headers.
   What I don't agree with is that you can make a 
   blanket statement that you can never have a situation
   where an outer header doesn't require some cryptographic
   protection. This is definitional: you can't do a security
   analysis on the undefined.

   So, in order to deprecate AH (which I think has a
   lot of merit), you'd have to do one of two things:

   1) Put a stake in the ground saying that everything
      outside of the ESP header is fair game, and that
      if you must have protection you must put it inside
      (begging the question of per-hop headers which 
      require the header be in the clear)
   2) Hedge your bets by folding AH functionality into
      ESP (or something like ESP). This could be done
      by slavishly requiring AH functionality across
      the board, or it could be more clever and optimize
      only the cases where you have outer headers that
      need to be protected (and potentially which
      fields)

    I'm not comfortable with #1 because smacks of
    being able to predict the future with too much
    certainty. #2 is certainly not easy since it
    would require a careful analysis of each
    header to determine whether there is any
    benefit to including it into the MAC
    calculation. However there would be a net
    reduction in complexity and header size if we
    nuked AH, so maybe it's worth it. 

	      Mike

Follow-Ups:

Re: Deprecation of AH header from the IPSEC tool kit

From: Michael Richardson <mcr@solidum.com>

References:

Re: Deprecation of AH header from the IPSEC tool kit

From: Michael Thomas <mat@cisco.com>

Re: Deprecation of AH header from the IPSEC tool kit

From: Michael Richardson <mcr@solidum.com>

Prev by Date: Re: Deprecation of AH header from the IPSEC tool kit
Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread