Merike and others, When I wrote before Christmas 'AH for OSPFv3', I actually wanted to say 'IPsec authentication for OSPFv3'. After reading RFC 4552, it is obvious that 'ESP-null in transport mode is mandatory for routers supporting OSPFv3' Sorry for the confusion And I wish an IPv6-enabled year 2012 to you and all your devices -éric
-----Original Message----- From: Merike Kaeo [mailto:merike@doubleshotsecurity.com] Sent: vendredi 30 décembre 2011 19:33 To: Leo Vegoda Cc: Eric Vyncke (evyncke); ipv6-wg@ripe.net; Jan Zorz @ go6.si; Florian Weimer Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input.
On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote:
Hi,
On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote:
On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote:
I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required.
Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'.
There is an unverified errata report that reverses those key words:
http://www.rfc-editor.org/errata_search.php?rfc=4552
It'll be interesting to see if its status is ever changed to verified.
There are no details in the errata that are useful. I find it amusing that yesterday there started a discussion in the IETF IPsec wg about writing a draft to move AH to historic. 3 years ago I had started writing a doc to enumerate why ESP-Null is good enough and detailed the fields that were getting protected using AH and why even with OSPFv3 there wasn't a clear advantage. There are nuances with SPD that you implicitly get protection of the SRC and DST IP addresses.
I think I need to finish that paper as it's 90% done. I'll send out to a few folks early next week.....something I was doing in some spare time a few years ago.
Note also that this argument has come up a few times since eventhough you can use ESP for only integrity protection it has been difficult for vendors to make a quick distinction whether an ESP packet is integrity only or also encrypted. So, some vendors prefer to use AH since in some ways it is 'simpler' and doesn't affect their performance.
AH is the least tested protocol in any interoperability test. I have attended a few and if that has changed, OK. Not from my experience.
- merike
Regards,
Leo