On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote:
Hi,
On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote:
On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote:
I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required.
Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'.
There is an unverified errata report that reverses those key words:
http://www.rfc-editor.org/errata_search.php?rfc=4552
It'll be interesting to see if its status is ever changed to verified.
There are no details in the errata that are useful. I find it amusing that yesterday there started a discussion in the IETF IPsec wg about writing a draft to move AH to historic. 3 years ago I had started writing a doc to enumerate why ESP-Null is good enough and detailed the fields that were getting protected using AH and why even with OSPFv3 there wasn't a clear advantage. There are nuances with SPD that you implicitly get protection of the SRC and DST IP addresses. I think I need to finish that paper as it's 90% done. I'll send out to a few folks early next week.....something I was doing in some spare time a few years ago. Note also that this argument has come up a few times since eventhough you can use ESP for only integrity protection it has been difficult for vendors to make a quick distinction whether an ESP packet is integrity only or also encrypted. So, some vendors prefer to use AH since in some ways it is 'simpler' and doesn't affect their performance. AH is the least tested protocol in any interoperability test. I have attended a few and if that has changed, OK. Not from my experience. - merike
Regards,
Leo