[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Deprecation of AH header from the IPSEC tool kit

To: "'Michael Richardson'" <mcr@solidum.com>, Michael Thomas <mat@cisco.com>, ipsec@lists.tislabs.com
Subject: RE: Deprecation of AH header from the IPSEC tool kit
From: "Strahm, Bill" <bill.strahm@intel.com>
Date: Thu, 15 Jun 2000 08:41:51 -0700
Sender: owner-ipsec@lists.tislabs.com

Ok, time to stick my big nose in things.

There have been many claims that there is absolutely nothing worth
protecting with AH in the IP header.  Well while doing some deep thinking
about Security Policy a coworker and I came across a requirement for IPSO
(RFC1108) U.S. Department of Defense Security Options for the Internet
Protocol.  It seems that DOD networks would like to have a IP header option
that includes a tag that says how "classified" the packet is.  Now RFC 2401
mentions this header explicitly and infact allows IPsec to make security
determinations based on this field.

I think this is a great value for AH where I can authenticate the IP Header
options to verify that the RFC1108 header has not been changed, possibly
removing security levels from my packet.

Just a descenting opinion, I had never heard of 1108 myself.  I am still in
the Get Rid of AH camp myself (all though leaning farther out of that camp
this morning)

Bill

______________________________________________
Bill Strahm        Programming today is a race between
bill.strahm@       software engineers striving to build
intel.com          bigger and better idiot-proof programs,
(503) 264-4632     and the Universe trying to produce
            	 bigger and better idiots.  So far, the
                   Universe is winning.--Rich Cook
I am not speaking for Intel.  And Intel rarely speaks for me


> -----Original Message-----
> From: Michael Richardson [mailto:mcr@solidum.com]
> Sent: Wednesday, June 14, 2000 6:06 PM
> To: Michael Thomas; ipsec@lists.tislabs.com
> Subject: Re: Deprecation of AH header from the IPSEC tool kit 
> 
> 
> 
> >>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:
>     Michael> Michael Richardson writes:
>     >> There is no reduction in complexity if you create an 
> ESP that covers
>     >> the headers. The question is more simply: rm rfc2402.txt
>     >> 
>     >> or not.
> 
>     Michael> [cutting to the chase]
> 
>     Michael> If the end result is an AH'less v4 but MUST AH 
> in v6, with
>     Michael> oodles of v4 implementations which already 
> support v4 AH, I'm
>     Michael> not sure that there a whole lot of motivation 
> deprecate it just
>     Michael> for v4. You can just not run AH, after all.
> 
>   At present, you can't say that you are "IPsec IPv4 
> compliant" if you don't
> have IPv4. At least, that is what the marketing people have 
> been lead to
> believe, and the customers, and those you have a lot of 
> "checkbox-compliant"
> IPv4 AH implementations.
>   I feel for these people, which is why I suggest that AH be moved to
> "MAY" for IPv4, but not deprecated.
> 
>   I also don't want to lose AH.
> 
>     Michael> Are folks over here aware that the cellular 
> folks are requiring
>     Michael> ipv6 in next gen handsets, and all that implies 
> for security?
>     Michael> This issue is not entirely academic anymore.
> 
>   Indeed!!!
> 
>    :!mcr!:            |  Solidum Systems Corporation, 
http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows
faster<tm>
 Personal:
http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com

Prev by Date: RE: Deprecation of AH header from the IPSEC tool kit
Next by Date: RE: Deprecation of AH header from the IPSEC tool kit
Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
Next by thread: RE: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread