...
Divine guidance is, I suppose, one way to do protocol design, but it
could lead to *real* religious wars....
an appropriate caution given my typo :-).
>
Also, note that IPSO and CIPSO are examples of options that were
discussed at the IPSECME meeting this week, where there is a need
to bind the options to the payload. I observed that using tunnel
mode (ESP) addresses this concern, but one could also note that
using AH would do the same, with lower per-packet bandwidth
overhead.
Or put the labels in the SA, since especially for IPSO you probably
want cryptographic separation of different security levels.
There are various options here. I know of devices that have opted to
use ESP in tunnel mode to ensure the binding, and that is what I
noted during the IPSECME WG session. I may know of an instance or two
where AH has been used to do this, because if introduced less
(bandwidth) overhead than tunnel mode. Implementations that make use
of IPSO or CIPSO should negotiate the labels as part of the SA. The
label should be part of the SPD, and be checked based on SAD entry
data cached form the SPD. (Can you tell that I've been through al of
this?) We had a presentation by Joy (remotely) on adding label
support, as a new work item, which would explore these issues in more
detail, if we choose to adopt this as a new Wg item.
I did go through the analysis you suggest for IPv4 and concluded
that nothing was both protectable and useful. I also noted the
following issue:
Furthermore, the AH spec says that we can't
enumerate the v4 options, and hence whether or not they should
be included or not -- but RFC1122 says that unknown IP options
MUST be silently ignored. So an implementation can receive an
option that it doesn't recognize, doesn't know if it changes
en route, must be ignored anyway -- but may or may not be included
in the AH calculation, and the receiver doesn't know.
Note, of course, that that was from 1995; I have not repeated the
analysis for newer AH or IPv6 specs.
I am not suggesting that any aspect of your analysis is flawed. I am
suggesting that before the WG chooses to further deprecate AH, it
needs to document the analysis supporting this decision, not just
cite a couple of examples and make general statements in support of
such an action.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
