[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Death to AH Now (was RE: Death to AH (was Re: SA identification ))
Death to AH Now (was RE: Death to AH (was Re: SA �dentification))
I strongly agree. AH should die immediately.
AH was invented before mobile-IP. It was based �n an assumption that IPv6 header fields should be protected, yet still �e readable by routers in transit. This was not a useful �equirement. Better protection can be provided by other �echanisms (like ESP). Over the last year or two there have been �ew supporter of AH (perhaps just 1?). The mandatory-to-implement �tatus of AH is expensive and unnecessary.
The IETF makes it easier to add a technology than to �emove it. I propose that the working group proceed with the �ollowing process:
1) The IPsec working group should have yet another �traw poll on the death of AH :-(
a) The following questions should be osed to working groups in the IETF
Questions:
i) Should
H be an IETF standards track document?
�f you answer was yes to the question above, please answer the �ollowing additional questions:
ii) What useful �ecurity service does AH provide that can not be provided by other �echanisms (like ESP)?
iii) Do you know of
ny significant existing application of AH?
b) Since various working may have
dopted AH (like mobile-IP) the poll should go to all
working �roups.
c) The straw poll comment period should �nd in two weeks (last comments accepted April 6)
2) Take action if the results above indicate that AH �hould "die".
Action items would include:
a) Remove AH from the standards track �y reissuing RFC 2402 as informational or experimental.
b) Modify RFC 2401 to purge AH from the
rchitecture.
c) Minor as required in other �pecifications (to be identified).
d) Retain, but do not mandate key �anagement support for AH.
Minor modifications
o key management specification may be required.
Paul
-----Original Message-----
From: Ari Huttunen [<3d.htm>mailto:Ari.Huttunen@F-Secure.c<3d.htm>�m]
Sent: Thursday, March 22, 2001 9:11 AM
To: Henry Spencer
Cc: IP Security List
Subject: Death to AH (was Re: SA �dentification)
Henry Spencer wrote:
>
> On Thu, 22 Mar 2001, Stephen Kent wrote:
> > really whether anyone manages SPIs in a �ashion that relies on using
> > the other two values for
ifferentiation.
>
> Linux FreeS/WAN currently makes minor use of
he ability to assign the
> same SPI to SAs of different protocols, for the �ase where a single
> connection uses multiple protocols (e.g.
H+ESP). We're not strongly
> attached to this, however... especially since �e definitely belong to the
> "Death to AH!!!" faction.
>
> � � � � � Henry Spencer
> � � � � �enry@spsystems.net
Yes, quick death to AH please! I've now been writing
new draft for how
to pass AH through NATs using UDP encapsulation (a �ontinuation of the
work that was presented in the WG meeting). It just �asically sucks, and
I'd much rather NOT do it at all! All the people
oing the relevant
drafts pretty much agreed that no-one wants to do �t, but IPsec requires
AH so we feel we're compelled to do it.
When there was discussion about why AH at all, the �nly real reason that
I can recollect was that Mobile-IPv6 uses it to rotect Binding Updates.
Well, guess what, AH doesn't really work for them �ither, as witnessed
in the WG meeting today.
Even if AH is not killed at once, a decision by this �G that AH doesn't
need to go through NATs would help us a lot!
Ari
--
Ari �uttunen phone: +358 9 2520 �700
Software
rchitect fax : +358 9 2520 5001
F-Secure �orporation <3d.htm>http://www.F-Secure.<3d.htm>com
F-Secure products: Integrated Solutions for �nterprise Security