Re: [IPsec] WESP - Roadmap Ahead

Wed, 11 Nov 2009 19:50:11 -0800

All of the standards I've seen that explicitly define how IPsec is to be used for authentication (including RFC 4552 - Authentication/ Confidentiality for OSPFv3) say that for authentication ESP-Null MUST be used and AH MAY.
Which RFCs specify AH specifically as a MUST for authentication/ integrity? 


Now on the flip side, in practical implementations, most vendors I  
know of started off with AH being used for OSPFv3 and I doubt in  
practice people are using ESP-Null.  Would love to be wrong here :)


- merike

On Nov 11, 2009, at 7:28 PM, Stephen Kent wrote:


At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:

Steve,


 I would have no problem deprecating AH in the context of the IPsec
 architecture document, if others agree. It is less efficient  than
 ESP-NULL. However, other WGs have cited AH as the IPsec protocol of
 choice for integrity/authentication in their environments, so there

 will be a need to coordinate with them, and it may be  
unacceptable to

 kill AH as a standalone protocol for them.



I agree that it is a trifle too early to start deprecating AH,  
though I wouldn't mind doing so. OTOH, don't most WGs already  
suggest AH as a MAY, and ESP-NULL as a MUST?



Not always. For example, I believe that OSPF security makes use of  
AH, outside the IPsec context.



In any case what should be the stand for the newer work that comes  
out of these WGs. Should they spell out support for AH, or should  
they just be talking about ESP (or ESP-NULL or WESP)?



I'd recommend ESP-NULL, unless the context on which the operate  
might require inspection by an intermediate system.



If we want to deprecate AH, or at least discourage its use in the  
context of the IPSec architecture in the near future then  
shouldn't we be working on this?



Part of the problem is that some WGs want to make use of IPsec  
protocols outside of the IPsec architecture.



 > I am not comfortable with the notion of ESP with WESP.  WESP adds

 > more per-packet overhead than ESP, and some users are very  
sensitive

 to this aspect of IPsec use. Also, other WG rely on ESP and we  
would

 need to convince them that the packet inspection features of WESP

 merit making changes to their standards, which might be a tough  
sell.



I agree. However, we should start socializing WESP in other WGs so  
that folks are at least aware of it.


Agree.

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to