Re: AH is pretty useless and perhaps should be deprecated
On Sat, 14 Nov 2009, Jack Kohn wrote: Hi, Interesting discussion on the utility of Authentication Header (AH) in IPSecME WG. http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html Post explaining that AH even though protecting the source and destination IP addresses is really not good enough. http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html What do folks feel? Do they see themselves using AH in the future? IMO, ESP and WESP are good enough and we dont need to support AH any more .. They are planning to make OSPFv3 IPSec authentication useless? Best Regards, Janos Mohacsi
Re: AH is pretty useless and perhaps should be deprecated
On Nov 14, 2009, at 8:28 PM, David Barak wrote: > I've seen AH used as a "prove that this hasn't been through a NAT" mechanism. > In this context, it's pretty much perfect. > > However, what I don't understand is where the dislike for it originates: if > you don't like it, don't run it. It is useful in certain cases, and it's > already in all of the production IPSec implementations. Why the hate? There are two reasons. First, it's difficult to implement cleanly, since it violates layering: you have to know the contents of the surrounding IP header to calculate the AH field. Back when I was security AD, I had implementors, especially implementors of on-NIC IPsec, beg me to get rid of it. Second, it's redundant; if (as I believe), ESP with NULL encryption does everything useful that AH does, why have two mechanisms? --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: AH is pretty useless and perhaps should be deprecated
I've seen AH used as a "prove that this hasn't been through a NAT" mechanism. In this context, it's pretty much perfect. However, what I don't understand is where the dislike for it originates: if you don't like it, don't run it. It is useful in certain cases, and it's already in all of the production IPSec implementations. Why the hate? David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: AH is pretty useless and perhaps should be deprecated
On Nov 14, 2009, at 2:46 PM, Adam Stasiniewicz wrote: > I have see AH used in network segmentation. I.e. systems is group A are > configured with rules to require all communication be over AH. Systems in > group B (which have no AH and no appropriate certificates configured) can't > chat with group A. The benefit of using AH vs. ESP in this case is twofold. > First, AH is less CPU intensive, and when one considers enabling it on > all/many workstations and servers in a company, that can add up to a lot of > CPU cycles. Second, since AH only signs, not encrypts, products like > network analyzers, IDS/IPS, etc can still perform their functions. ESP with NULL encryption only authenticates (not "signs") also. However, one can't tell in a context-free way that NULL is in use. If you're using it, though, I can't see how AH could be less expensive. AH has been controversial for years. I've been asking folks to delete it since 1995. I've never succeeded... At least RFC 4301 deprecated it to a MAY instead of a MUST for IPsec implementors. > > Outside of some manual deployments, the only commercial product I know that > offers AH based network segmentation is Microsoft's NAP: > http://www.microsoft.com/nap > > Regards, > Adam Stasiniewicz > > -Original Message- > From: Jack Kohn [mailto:kohn.j...@gmail.com] > Sent: Friday, November 13, 2009 6:23 PM > To: nanog@nanog.org > Subject: AH is pretty useless and perhaps should be deprecated > > Hi, > > Interesting discussion on the utility of Authentication Header (AH) in > IPSecME WG. > > http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html > > Post explaining that AH even though protecting the source and > destination IP addresses is really not good enough. > > http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html > > What do folks feel? Do they see themselves using AH in the future? > IMO, ESP and WESP are good enough and we dont need to support AH any > more .. > > Jack > > > --Steve Bellovin, http://www.cs.columbia.edu/~smb
RE: AH is pretty useless and perhaps should be deprecated
I have see AH used in network segmentation. I.e. systems is group A are configured with rules to require all communication be over AH. Systems in group B (which have no AH and no appropriate certificates configured) can't chat with group A. The benefit of using AH vs. ESP in this case is twofold. First, AH is less CPU intensive, and when one considers enabling it on all/many workstations and servers in a company, that can add up to a lot of CPU cycles. Second, since AH only signs, not encrypts, products like network analyzers, IDS/IPS, etc can still perform their functions. Outside of some manual deployments, the only commercial product I know that offers AH based network segmentation is Microsoft's NAP: http://www.microsoft.com/nap Regards, Adam Stasiniewicz -Original Message- From: Jack Kohn [mailto:kohn.j...@gmail.com] Sent: Friday, November 13, 2009 6:23 PM To: nanog@nanog.org Subject: AH is pretty useless and perhaps should be deprecated Hi, Interesting discussion on the utility of Authentication Header (AH) in IPSecME WG. http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html Post explaining that AH even though protecting the source and destination IP addresses is really not good enough. http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html What do folks feel? Do they see themselves using AH in the future? IMO, ESP and WESP are good enough and we dont need to support AH any more .. Jack
Re: AH is pretty useless and perhaps should be deprecated
I prefer letting the market deprecate things. If no one uses AH, someday the IETF can mark it as "Historic," but long before that there will come a time when no one is interested in doing any more work on it. I was at the IETF IPsec WG meeting (in Los Angeles in the mid-90s) when AH would have died except once Microsoft strongly endorsed it, everyone else took the anti-MSFT viewpoint. Also, don't confuse "almost no one uses" for "no one uses" -- if AH is useful for someone, there is no harm in having a spec that tells them how to do it, and hopefully that spec is well written such that they can interoperate with other implementations. AH is less efficient than ESP because you have to buffer a whole packet prior to calculating the Integrity Check Value that goes in the AH [header], which goes at the front. The calculations you have to do involve parts of the packet that are both before and after the AH [header], including the packet's payload. Once you calculate the Integrity Check Value (ICV) you then stuff it in the appropriate part of the AH and send the packet. ESP's cryptographic goodness is appended at the end (and the packet is encrypted up until that point), and you can be doing a running cryptographic algorithm as the packet is streamed out (encrypted after the IP header and ESP header), then append the right amount of padding and the ESP "trailer" at the end. This site has some nice graphical depictions of AH and ESP (including the tunnel-mode vs. transport-mode that I didn't touch on: http://unixwiz.net/techtips/iguide-ipsec.html) Cheers, ~tom On Fri, Nov 13, 2009 at 18:27, Jack Kohn wrote: > So who uses AH and why? > > Jack > > On Sat, Nov 14, 2009 at 6:19 AM, Owen DeLong wrote: > > I've never seen anyone use AH vs. ESP. I've always used ESP and so has > > every other IPSEC implementation I've seen anyone do. > > > > Owen > > > > On Nov 13, 2009, at 4:22 PM, Jack Kohn wrote: > > > >> Hi, > >> > >> Interesting discussion on the utility of Authentication Header (AH) in > >> IPSecME WG. > >> > >> http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html > >> > >> Post explaining that AH even though protecting the source and > >> destination IP addresses is really not good enough. > >> > >> http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html > >> > >> What do folks feel? Do they see themselves using AH in the future? > >> IMO, ESP and WESP are good enough and we dont need to support AH any > >> more .. > >> > >> Jack > > > > > >
Re: kaspersky anti-virus tech, with a clue?
Jim Mercer wrote: can anyone point me at a Kaspersky tech with a clue? maybe we can re-craft our login url to not offend the Kaspersky suite. Forwarding. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/
kaspersky anti-virus tech, with a clue?
it seems that kaspersky anti-virus is "detecting" our hotspot captive portal login as a "Trojan-Downloader.Script.Generic". my googling on this seems to indicate that it isn't finding so much a signature, but something in the url that is "suspicious". unfortunately, this is causing some fairly unhappy, panicing calls to our support people from customers. can anyone point me at a Kaspersky tech with a clue? maybe we can re-craft our login url to not offend the Kaspersky suite. note: this hotspot suite has been in operation for 4+ years, and is based on the chillispot portal. note: these reports only started recently, so i suspect something was added to Kaspersky's virus database recently that kicked this off. -- Jim Mercerj...@reptiles.org+92 336 520-4504 "I'm Prime Minister of Canada, I live here and I'm going to take a leak." - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, "Who are you and where are you going?"
