I think this argument implicitly assumes unicast. Rich Graveman
On Thu, Nov 12, 2009 at 8:18 PM, Bhatia, Manav (Manav) <manav.bha...@alcatel-lucent.com> wrote: > Daniel, > >> AH is a security feature we need to keep for header authentication > > Am really not sure about the value that AH adds even in case of header > authentication. > > So what fields does AH protect: > > Version, Payload length, Next Header, Source IP and dest IP > > The only field worth modifying is the source and the dest IP. Now note that > an IPSec SA is established between a pair of source IP and dest IP. Upon > receipt of a packet containing an AH header, the receiver determines the > appropriate (unidirectional) SA, based on the dest IP, security protocol > (AH), and the SPI (it could also include the source IP). If the attacker > modifies (or spoofs) either of the source or the dest IP, the SA lookup will > fail and the receiver will regardless discard the packet. So what are we > gaining by AH "header authentication"? > > AH can only add value over ESP-NULL if there are instances where despite > address spoofing we erroneously process the IPSec packet. I don't see that > happening, so is this really an issue? > > Cheers, Manav > ________________________________ > > From: Daniel Migault [mailto:mglt.i...@gmail.com] > Sent: Thursday, November 12, 2009 11.14 AM > To: Jack Kohn > Cc: Stephen Kent; ipsec@ietf.org; Bhatia, Manav (Manav); Merike Kaeo > Subject: Re: [IPsec] WESP - Roadmap Ahead > > On Thu, Nov 12, 2009 at 5:30 AM, Jack Kohn <kohn.j...@gmail.com> wrote: > > > > Whoops, I was wrong. I looked at 4552 and they do cite > ESP-NULL (although > > they never refer to it that way) as a MUST, and AH as a MAY. > > Ok, so can we work on deprecating AH? This way new standards > defined > in other WGs dont have to provide support for AH. > > > AH is a security feature we need to keep for header authentication. > Other WG may chose not to deal with AH and only consider ESP. I don't see > what's wrong with that? > > Regards > > Daniel > -- > Daniel Migault > Orange Labs -- Security > +33 6 70 72 69 58 > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
