[ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input.
Eric Vyncke (evyncke) evyncke at cisco.com
Mon Jan 2 14:26:42 CET 2012
Merike and others, When I wrote before Christmas 'AH for OSPFv3', I actually wanted to say 'IPsec authentication for OSPFv3'. After reading RFC 4552, it is obvious that 'ESP-null in transport mode is mandatory for routers supporting OSPFv3' Sorry for the confusion And I wish an IPv6-enabled year 2012 to you and all your devices -éric > -----Original Message----- > From: Merike Kaeo [mailto:merike at doubleshotsecurity.com] > Sent: vendredi 30 décembre 2011 19:33 > To: Leo Vegoda > Cc: Eric Vyncke (evyncke); ipv6-wg at ripe.net; Jan Zorz @ go6.si; Florian > Weimer > Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question > tocommunity - we need your input. > > > On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote: > > > Hi, > > > > On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote: > >> On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote: > >> > >>> I think that we should keep IPsec/IKEv2 only for firewall and mention to > any place where OSPFv3 is mentioned that the support of AH is required. > >> > >> Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or > 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement > IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a > 'MAY'. > > > > There is an unverified errata report that reverses those key words: > > > > http://www.rfc-editor.org/errata_search.php?rfc=4552 > > > > It'll be interesting to see if its status is ever changed to verified. > > There are no details in the errata that are useful. I find it amusing that > yesterday there started a discussion in the IETF IPsec wg about writing a > draft to move AH to historic. 3 years ago I had started writing a doc to > enumerate why ESP-Null is good enough and detailed the fields that were > getting protected using AH and why even with OSPFv3 there wasn't a clear > advantage. There are nuances with SPD that you implicitly get protection of > the SRC and DST IP addresses. > > I think I need to finish that paper as it's 90% done. I'll send out to a > few folks early next week.....something I was doing in some spare time a few > years ago. > > Note also that this argument has come up a few times since eventhough you > can use ESP for only integrity protection it has been difficult for vendors > to make a quick distinction whether an ESP packet is integrity only or also > encrypted. So, some vendors prefer to use AH since in some ways it is > 'simpler' and doesn't affect their performance. > > AH is the least tested protocol in any interoperability test. I have > attended a few and if that has changed, OK. Not from my experience. > > - merike > > > > > > Regards, > > > > Leo > >
[ ipv6-wg Archives ]