[ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input.

Merike and others,

When I wrote before Christmas 'AH for OSPFv3', I actually wanted to say 'IPsec authentication for OSPFv3'. After reading RFC 4552, it is obvious that 'ESP-null in transport mode is mandatory for routers supporting OSPFv3'

Sorry for the confusion 

And I wish an IPv6-enabled year 2012 to you and all your devices

-éric

> -----Original Message-----
> From: Merike Kaeo [mailto:merike at doubleshotsecurity.com]
> Sent: vendredi 30 décembre 2011 19:33
> To: Leo Vegoda
> Cc: Eric Vyncke (evyncke); ipv6-wg at ripe.net; Jan Zorz @ go6.si; Florian
> Weimer
> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question
> tocommunity - we need your input.
> 
> 
> On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote:
> 
> > Hi,
> >
> > On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote:
> >> On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote:
> >>
> >>> I think that we should keep IPsec/IKEv2 only for firewall and mention to
> any place where OSPFv3 is mentioned that the support of AH is required.
> >>
> >> Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or
> 'SHOULD' and not a 'MAY'?  Last I recall the specifics for how to implement
> IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a
> 'MAY'.
> >
> > There is an unverified errata report that reverses those key words:
> >
> > http://www.rfc-editor.org/errata_search.php?rfc=4552
> >
> > It'll be interesting to see if its status is ever changed to verified.
> 
> There are no details in the errata that are useful.  I find it amusing that
> yesterday there started a discussion in the IETF IPsec wg about writing a
> draft to move AH to historic.  3 years ago I had started writing a doc to
> enumerate why ESP-Null is good enough and detailed the fields that were
> getting protected using AH and why even with OSPFv3 there wasn't a clear
> advantage.  There are nuances with SPD that you implicitly get protection of
> the SRC and DST IP addresses.
> 
> I think I need to finish that paper as it's 90% done.  I'll send out to a
> few folks early next week.....something I was doing in some spare time a few
> years ago.
> 
> Note also that this argument has come up a few times since eventhough you
> can use ESP for only integrity protection it has been difficult for vendors
> to make a quick distinction whether an ESP packet is integrity only or also
> encrypted.  So, some vendors prefer to use AH since in some ways it is
> 'simpler' and doesn't affect their performance.
> 
> AH is the least tested protocol in any interoperability test.  I have
> attended a few and if that has changed, OK.  Not from my experience.
> 
> - merike
> 
> 
> >
> > Regards,
> >
> > Leo
> >