On 02 Apr 2014, at 13:25 , Paul Hoffman wrote: > That was certainly not the intention.
OK. >> [IMPORTANT NOTE: A previous employer of mine shipped IPv4/IPv6 routers >> with forwarding silicon that could parse AH and any other IPv4/IPv6 >> options - at wire-speed for 10 Gbps interfaces - 10 years ago. I am >> aware of 2 other very widely deployed implementations with the same >> ability to parse past AH to read TCP/UDP ports and apply ACLs at >> wire-speed. So this is a widely deployed capability, rather than >> theory. :-] > > That's not an important note for this discussion, ... Ah, but it is important, because it talks about deployed reality, and many many users and implementers DO care about the ability to apply ACLs. > which is about what the IPsec community > has expressed as a general preference. You are mis-characterising the "VPN community" (e.g. VPNC) as being the whole "IPsec community". This I-D supposedly is NOT a VPN-focused draft, but instead claims to address the whole audience of IPsec implementers, users, and usages. > You feel that preference is wrong, and you have stated > that in earlier WG discussions. No. That is not what I believe or feel, NOR is the quote a correct summary what I have expressed in past discussions. Instead, that is a mis-apprehension of what I have said. In fact, I don't think that the preference for ESP with an integrated transform is wrong or bad - for VPN uses. Indeed, there are well-understood and broadly agreed reasons why - for VPNs - ESP with an integrated transform is preferable. Further, we all agree and understand that VPN is the most widely deployed use case. However, it is not the only deployed IPsec use case. A general IPsec Requirements document ought to be addressing all deployed use cases, and ought not be limited to VPN uses. >> We owe it to readers to be crisp, clear, complete, and accurate >> with the text in this draft. > > Yes, but: > >> Candidate new text: >> >> "When no IPv4 options or IPv6 optional headers are present, and >> in environments without concerns about attacks based on option >> insertion (e.g. inserting a source routing header to facilitate >> pervasive eavesdropping), the IPsec community generally prefers >> ESP with NULL encryption over AH. However, some protocols >> require AH. Also, AH always protects all IPv4 options and IPv6 >> optional headers, while ESP NULL is unable to protect any IPv4 >> options or to protect IPv6 options that are seen & processed by >> intermediate systems (e.g. routers, security gateways, other >> middle-boxes). Some IP-layer options, for example IPSO [RFC-1108] >> and CALIPSO [RFC-5570], today are deployed in some environments >> while using AH to provide both integrity protection & authentication. >> >> Further, deployed routers from multiple vendors are able to parse >> past an AH header in order to read upper-layer protocol >> (e.g. TCP) header information (e.g. to apply port-based router >> ACLs) at wire-speed. By contrast, there is no 100% reliable way >> to parse past an ESP header, although some ESP header parsing >> heuristics have been documented [RFC-5879] that work in some cases. > > That is neither crisp nor clear; it is more complete; > it is inaccurate about the parameters that the IPsec community cares about. Precisely HOW is it inaccurate ? I believe that everything in my text is accurate. If there is something inaccurate, please do say precisely what. > The proposed text comes off as an advertisement for AH, but that's exactly > the opposite direction that the WG has been leaning for this document. I'm open to having you or others propose some alternative text, provided that text makes clear that ESP can't protect IP options in transit, while AH can. This difference in the provided security properties is entirely factual. For VPN deployments, this might not matter, but for other existing IPsec deployments it is known to matter. Again, this document is not about a VPN profile of IPsec, it is about the entirety of IPsec. > The IPsec community generally prefers ESP with NULL encryption over AH. > AH is still required in some protocols and operational environments > when there are security-sensitive options in the IP header, such as > source routing headers. This does not make clear that ESP can't protect the IP options, which is an important-to-document limitation of ESP. It also should mention IP sensitivity label options, such as RFC-1108 and RFC-5570 as a use case for AH, in addition to source-routing headers. Yours, Ran _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
