On Dec 9, 2013, at 2:54 PM, Phillip Hallam-Baker <[email protected]<mailto:[email protected]>> wrote:
On Mon, Dec 9, 2013 at 2:23 AM, Yoav Nir <[email protected]<mailto:[email protected]>> wrote: Phil, The issue is not that ESP needs a NULL cipher. It's that AH wouldn't traverse NAT, and so they needed ESP to do the work that AH was designed to do. I understand that, though the fact that ESP with authentication would work through NAT but not AH seems remarkably odd to me. It suggests that the design is wrong. Of ESP (because it doesn't protect the IP header), or of AH (because if cannot traverse NAT) ? That flags a design error in the protocol AFIAK. As a remote access protocol, IPSEC has fallen far short of satisfactory. I don't think anyone is arguing against that. We wouldn't implement L2TP over IPsec or stuff IP packets into TLS connections if it was. It has been necessary to install a plug in to use every corporate VPN I have used to date. But beyond that little technicality, it stands out that they standardized AH at all. So they felt that there was a need for integrity-only IPsec. I guess part of this is that the perceived threats were different - there was less personal information on the Internet, and IPsec (unlike TLS) is much concerned with protecting non-confidential stuff like DNS, routing protocols. Today, about the only good use case I can think of that doesn't ever need confidentiality is NTP, and I don't know why we would want to design a protocol specifically for securing NTP. And to do authentication only twice seems even stranger. Another part is that this was 1996 and in 1996 you had the "Pentium Pro" with a 150 MHz clock and a 60 MHz bus, which could probably do a few Mbps of 3DES+HMAC-MD5, or four times that with HMAC-MD5 alone. These are not today's processors that do 4 Gbps per core with AES-GCM. That is not the motivation that the RFC suggests. It doesn't, but at the time you couldn't say "just encrypt everything" without seeming out of touch with reality. Today, you can. BTW: this is not unique to IPsec. TLS also defines some NULL encryption ciphersuites. I know, but the problem is that people are now pointing to the NULL ciphers as precedent. The current algorithm draft ([1]) still has NULL as MTI. It's interesting that opinions range from MTI to HISTORIC. Yoav [1] http://tools.ietf.org/html/draft-ietf-ipsecme-esp-ah-reqts-01#section-2.2
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
