>>>>> "Steven" == Steven M Bellovin <smb@xxxxxxxxxxxxxxx> writes:
Steven> On Mon, 29 Sep 2008 15:20:23 -0400
Steven> Sam Hartman <hartmans-ietf@xxxxxxx> wrote:
>> Section 8 proposes that AH is the mandatory-to-implement
>> security mechanism for this option. Do we still believe that
>> is appropriate given RFC 4301's move away from AH as a
>> mandatory-to-implement service?
Steven> As discussed way back when, when we'd agreed on what
Steven> became 2401 et seq., the IETF preferred that security
Steven> labels be part of the credential, and hence implicit in
Steven> the security association, rather than being part of the
Steven> IPsec header. Now -- here, the use of IPsec is to protect
Steven> the security label, rather than the data -- but does it
Steven> actually do that in any useful way? If the security
Steven> option is really end-to-end, we don't need it, per the
Steven> above. If it's hop-by-hop -- and it's using a v6
Steven> hop-by-hop option -- AH doesn't provide useful protection
Steven> unless packets are digitally signed rather than MACed.
Doesn't that sort of depend on
1) who the attackers are
2) who the endpoints of the SA are?
As far as I can tell AH would be fine for hop-by-hop SAs to protect
packets flowing over a link that cannot be trusted to preserve
integrity between two intermediate systems.
You could potentially have both an end-to-end SA and a hop-by-hop SA.
That says that you trust intermediate systems less than you do the endpoints, but somehow you're still trusting them not to disclose traffic.
I'd like to understand the threat model that leads to this better.
However, I agree with you that the draft is broken. It seems clearly
like it is talking about end-to-end AH, and I agree that doesn't fit
the model well at all without digital signatures.
>> As we know, BCP 61 requires a strong mandatory-to-implement
>> security mechanism for Internet protocols. That mechanism
>> needs to be sufficient for use over the open Internet. We have
>> been very reluctant to accept weaker security mechanisms
>> because some standards-track protocol is not intended for use
>> on the open Internet; BCP 61 says we have consensus that is not
>> how we do things. I question whether AH is sufficient as a BCP
>> 61 mandatory-to-implement mechanism. The entire point of this
>> IPV6 option is to limit disclosure of confidential and
>> classified information. In order to meet that security
>> objective on the open Internet, some confidentiality mechanism
>> is required. I strongly recommend that if this TS is published
>> on the standards track,ESP with confidentially be required.
Steven> I don't agree. The purpose of AH in this spec is to
Steven> protect certain information that's in the clear. (As
Steven> noted, though, I don't think it does it properly.)
Steven> Protection of the underlying data is the business of a
Steven> separate layer or sublayer.
I made a number of statements and I'd like to explore our
disagreement. I'm assuming that we agree about what BCP 61 is trying
to do: it's trying to require that IETF protocols have adequate
security for the open Internet, because networks will get connected.
I seem to recall you buy into that argument:-)
Do you disagree with my assertion that from a overall architecture
view, anyone who implements this mechanism needs confidentiality to
run their packets over the open Internet?
If you agree confidentiality is needed somewhere, how do we get
interoperability if we don't mandate a confidentiality mechanism here?
>> The document requires that if there is a label inside and
>> outside an AH header, that these labels must be the same. Why
>> is this a valid use of a 2119 MUST? What security or
>> interoperability problem results if for example the outer label
>> dominates the inner label? As far as I can tell this
>> requirement gets in the way of tunneling arbitrary IP traffic.
Steven> It guards against someone tampering with the outer label,
Steven> causing the packet to be misrouted perhaps.
I guess I'm having a hard time seeing why you would have both labels
if they serve the same purpose. However I think I was misreading the
text. I thought the text was intended to apply to IP within IP--for
example an inner label in a ip-in-ip tunnel. If the text is only
intended to apply to two copies of the option at the same IP layer,
then I agree they need to be the same, although I'd also like an
explanation of why you ever do that.
Steven> Note 7.3.1 on
Steven> TCP considerations. (Also note that 7.3.1 disagrees with
Steven> 793 on the treatment of security labels in section 3.6 of
Steven> 793. At the least, this shoudl be noted.
I had completely missed this. I'll call out the section to the transport ADs
Steven> --Steve Bellovin,
Steven> http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf