Re: AH or ESP

2009-05-26 Thread Merike Kaeo
I agree as well that ESP-Null the way to go for integrity. From operational perspective if you are supporting both v4 and v6 (and you will) then having different protocols will be a nightmare. Common denominator is ESP-Null. Realistically for IPsec, unless you have the scalable credential

Re: AH or ESP

2009-05-26 Thread Jack Kohn
> > > The delusion that network operators can successfully use unhelpful > protocols and/or smoke and mirrors to force idealist network design on > others needs to end. People use new protocols because they are better. > If the benefit of moving to a new protocol does not outweigh the pain > of m

Re: AH or ESP

2009-05-26 Thread Nathan Ward
On 27/05/2009, at 8:11 AM, Roland Dobbins wrote: On May 27, 2009, at 3:00 AM, Tony Hain wrote: Just because you can't use it for IPv4 is no reason to avoid using it for IPv6 now and let its momentum suppress the 66CGN walled garden mindset. I concur quite strongly with your views on thi

Re: AH or ESP

2009-05-26 Thread Dave Israel
Tony Hain wrote: > Merike Kaeo wrote: > ... > >> ESP-Null came about when folks >> realized AH could not traverse NATs. >> > > Thus the absolute reason why people should promote AH to kill off the 66nat > nonsense. Just because you can't use it for IPv4 is no reason to avoid using > it f

Re: AH or ESP

2009-05-26 Thread Roland Dobbins
On May 27, 2009, at 3:00 AM, Tony Hain wrote: Just because you can't use it for IPv4 is no reason to avoid using it for IPv6 now and let its momentum suppress the 66CGN walled garden mindset. I concur quite strongly with your views on this particular topic, but the CGN boat appears to've

RE: AH or ESP

2009-05-26 Thread Tony Hain
Merike Kaeo wrote: ... > ESP-Null came about when folks > realized AH could not traverse NATs. Thus the absolute reason why people should promote AH to kill off the 66nat nonsense. Just because you can't use it for IPv4 is no reason to avoid using it for IPv6 now and let its momentum suppress th

Re: AH or ESP

2009-05-26 Thread Randy Bush
> IPsec as a whole is compliance mandatory for IPv6 although for new > version of IPv6 Node requirements that came out recently I think they > changed that to a 'SHOULD'. the reality is DON'T

Re: AH or ESP

2009-05-25 Thread Merike Kaeo
IPsec as a whole is compliance mandatory for IPv6 although for new version of IPv6 Node requirements that came out recently I think they changed that to a 'SHOULD'. Wireless devices (phones) have issues with battery life when IPsec implemented. Note that all standards say ESP-Null is 'MUS

Re: AH or ESP

2009-05-25 Thread Jack Kohn
Hmm .. besides this, AH is *never* export restricted. Also, i could be mistaken, but isnt AH compliance mandatory in IPv6? Earlier there were some issues in using ESP with TCP performance enhancement proxies used in wireless networks, which couldnt deep inspect the ESP packets to extract TCP flow

Re: AH or ESP

2009-05-25 Thread Merike Kaeo
Coming from someone who is somewhat jaded.politics. Realistically there are some folks who believe that not having the IP header (and with v6 also the option headers) integrity protected is an issue. It's not. You have more risk of operation issues from adding complexity of AH.not

Re: AH or ESP

2009-05-25 Thread Glen Kent
Just a quick question: Why do we need AH when we have ESP-NULL? Is AH now being supported only for legacy reasons? The only negative with ESP-NULL afaik was that it could not be filtered (since packets could not be inspected), however, this changes with the "wesp" proposal. Also, the fact that AH i

Re: AH or ESP

2009-05-25 Thread Jack Kohn
Not really. Currently, you cant even look at the ESP trailer to determine if its an encrypted or an integrity protected packet, because the trailer itself could be encrypted. A router, by reading the next-header field from the ESP trailer can never be sure that its an OSPFv3 packet inside since i

Re: AH or ESP

2009-05-25 Thread Merike Kaeo
Yeah - the main issue with using ESP is that there's a trailer at end of packet that tells you more info to determine whether you can inspect the packet. So you have to look at the end of the packet to see whether ESP is using encryption or null-encryption (i.e. just integrity protection).

Re: AH or ESP

2009-05-25 Thread Jack Kohn
Glen, IPSECME WG at IETF is actually working on the exact issue that you have described (unable to deep inspect ESP-NULL packets). You can look at draft-ietf-ipsecme-traffic-visibility-02

Re: AH or ESP

2009-05-22 Thread Glen Kent
Yes, thats what i had meant ! On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > On Fri, May 22, 2009 at 1:04 PM, Glen Kent wrote: > > Hi, > > > > It is well known in the community that AH is NAT unfriendly while ESP > cannot > > be filtered, and most firewa

Re: AH or ESP

2009-05-22 Thread Christopher Morrow
On Fri, May 22, 2009 at 1:04 PM, Glen Kent wrote: > Hi, > > It is well known in the community that AH is NAT unfriendly while ESP cannot > be filtered, and most firewalls would not let such packets pass. I am NOT 'the content of the esp packet can't be filtered in transit' I think you mean... rig