[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: "Marcus Leech" <mleech@nortelnetworks.com>
Subject: Re: Death to AH (was Re: SA identification)
From: Michael Thomas <mat@cisco.com>
Date: Sat, 24 Mar 2001 07:10:31 -0800 (PST)
Cc: Henry Spencer <henry@spsystems.net>, Francis Dupont <Francis.Dupont@enst-bretagne.fr>, IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <3ABAC453.8D629382@nortelnetworks.com>
References: <Pine.BSI.3.91.1010322192529.17430G-100000@spsystems.net><3ABAC453.8D629382@nortelnetworks.com>
Sender: owner-ipsec@lists.tislabs.com

Marcus Leech writes:
 > The assertion was made that the current Mobile IPV6 spec uses
 >   IPSEC in a way that just doesn't scale.  AH was chosen by
 >   Mobile IPV6 because it provides protection of outer header
 >   information, including the bits of IPV6 options goop that carries
 >   Mobile IPV6 binding updates.  It's not *impossible* to use ESP
 >   for this, but it's awkward.

   So, as somebody who thinks that:

   a) the IESG's concerns about using IPsec to
      correspondent nodes to protect BU's are
      well founded

   b) that AH should be nuked in general to 
      simplify IPsec

   c) using IPsec between the mobile node and
      it's home agent for binding updates as
      well as *some* well known CN's (ie, not
      for the random web browsing case) is a
      good thing, especially if it provides
      better security properties than the
      ultimate solution for (a)

   I'd say that we either need to come up with
   an application layer security schemes for
   BU's which address (a) and (c) simultaneously
   or have a means to have base level IPsec
   protect BU's which are not dependent on AH.

   Charlie brought up -- and I think I agree --
   that it would be unfortunate if two nodes 
   that were already running IPsec between 
   them and they didn't raise the "global PKI" 
   spectre couldn't use IPsec to authenticate
   and authorize the BU. A trivial case is a 
   mobile SIP phone with an SA between it and its
   first hop proxy which have the same localized
   PKI properties as the SA between the HA and MN.
   (indeed, between HA and MN, there may be no need 
   for a PKI at all, cf KINK).

   I doubt that naive tunnel mode ESP really fits the
   bill well here. There are a lot of concerns
   about bits in the air that are quite serious
   and using a tunnel would at base add another
   40 bytes to the overhead. I'm also rather 
   suspicious about the contention that ROHC and
   its ilk make tunnel/transport moot: there is a
   huge amount of overhead and state machinery
   to run compressors and counting on them -- 
   especially when you start talking about mobile
   routers -- is dubious at best.

   Maybe we ought to entertain Bruce Schneier's
   suggestions. As far as I can recall, they
   would seemingly address the concerns I outlined
   above. Even if we don't try to deprecate
   transport altogether, an out of band
   negotiation of "the inner header is the same
   as the outer header" compressing tunnel mode
   would be pretty easy to cons up for ISAKMP.

	    Mike

Follow-Ups:

Re: Death to AH (was Re: SA identification)

From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:

Re: Death to AH (was Re: SA identification)

From: Henry Spencer <henry@spsystems.net>

Re: Death to AH (was Re: SA identification)

From: "Marcus Leech" <mleech@nortelnetworks.com>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread