This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input.
- Previous message (by thread): [ipv6-wg] Latest 6::gle phone Nexus supports IPv6 on 3G
- Next message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Eric Vyncke (evyncke)
evyncke at cisco.com
Mon Jan 2 14:26:42 CET 2012
Merike and others, When I wrote before Christmas 'AH for OSPFv3', I actually wanted to say 'IPsec authentication for OSPFv3'. After reading RFC 4552, it is obvious that 'ESP-null in transport mode is mandatory for routers supporting OSPFv3' Sorry for the confusion And I wish an IPv6-enabled year 2012 to you and all your devices -éric > -----Original Message----- > From: Merike Kaeo [mailto:merike at doubleshotsecurity.com] > Sent: vendredi 30 décembre 2011 19:33 > To: Leo Vegoda > Cc: Eric Vyncke (evyncke); ipv6-wg at ripe.net; Jan Zorz @ go6.si; Florian > Weimer > Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question > tocommunity - we need your input. > > > On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote: > > > Hi, > > > > On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote: > >> On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote: > >> > >>> I think that we should keep IPsec/IKEv2 only for firewall and mention to > any place where OSPFv3 is mentioned that the support of AH is required. > >> > >> Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or > 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement > IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a > 'MAY'. > > > > There is an unverified errata report that reverses those key words: > > > > http://www.rfc-editor.org/errata_search.php?rfc=4552 > > > > It'll be interesting to see if its status is ever changed to verified. > > There are no details in the errata that are useful. I find it amusing that > yesterday there started a discussion in the IETF IPsec wg about writing a > draft to move AH to historic. 3 years ago I had started writing a doc to > enumerate why ESP-Null is good enough and detailed the fields that were > getting protected using AH and why even with OSPFv3 there wasn't a clear > advantage. There are nuances with SPD that you implicitly get protection of > the SRC and DST IP addresses. > > I think I need to finish that paper as it's 90% done. I'll send out to a > few folks early next week.....something I was doing in some spare time a few > years ago. > > Note also that this argument has come up a few times since eventhough you > can use ESP for only integrity protection it has been difficult for vendors > to make a quick distinction whether an ESP packet is integrity only or also > encrypted. So, some vendors prefer to use AH since in some ways it is > 'simpler' and doesn't affect their performance. > > AH is the least tested protocol in any interoperability test. I have > attended a few and if that has changed, OK. Not from my experience. > > - merike > > > > > > Regards, > > > > Leo > >
- Previous message (by thread): [ipv6-wg] Latest 6::gle phone Nexus supports IPv6 on 3G
- Next message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]