On Mon, 3 Mar 2014, RJ Atkinson wrote:
ESP-NULL offers the same protection as AH, ...This sentence above is not true. ESP-NULL and AH provide different security properties to the IP-layer. AH protects all IP options, whereas ESP cannot protect any IP options that appear prior to the ESP header -- the location in the packet where those IP options are seen *and acted upon* by routers/firewalls/etc.
What meaning has "protecting" those bits? Endpoint A and B protect something by cryptography, but any router in the middle can't trust those signatures anyway. So I don't see how AH is different from ESPinUDP where you set those options in the UDP header. These are not "protected" but the router can't verify the crypto anyway.
Similarly, AH protects many IP header fields from in-transit modification, whereas ESP encapsulation provides no protection for the 1st (outer) IP header (i.e., that appears before the ESP header).
So I don't buy that. The IP header is not protecting the packet from a router, which cannot confirm the crypto of that protection. What this is really about is exposing things like QoS bits, but those devices acting on those are not verifying any "protection". They are blindly using the exposed options. So ESPinUDP works equally well here.
As a prior discussion has noted, AH can and is used to provide cryptographic protection to some security-critical IP options (e.g. sensitivity labels). ESP-NULL is not capable of protecting those options.
I'm not sure what you are referring to here. Not labeled IPsec I take it? And again, how does this "protection" work? How do the routers verify this "protection" when only the endpoints know the crypto keys used to protect the header and payload?
The reason AH is MAY is that not all deployments care about protecting the (outer) IP header and (visible to the forwarding plane) IP options.
Can you explain how this protection works? If an AH packet flies by, and I change the QoS option from off to on to give my packet preference in the network, how will the next router notice this and ignore this QoS option?
Some deployments definitely do care. Other deployments do not.
By understanding was always that people didn't like options getting "lost" or "hidde" within the ESP payload, and not getting set on the outer packet. In fact, with KLIPS we had an option that could copy some of the header bits into the outer IP header. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
