[119331] in North American Network Operators' Group
Re: AH is pretty useless and perhaps should be deprecated
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Sat Nov 14 18:13:10 2009
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <000a01ca6563$1db96f20$592c4d60$@edu>
Date: Sat, 14 Nov 2009 18:12:24 -0500
To: Adam Stasiniewicz <stasinia@msoe.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 14, 2009, at 2:46 PM, Adam Stasiniewicz wrote:
> I have see AH used in network segmentation. I.e. systems is group A =
are
> configured with rules to require all communication be over AH. =
Systems in
> group B (which have no AH and no appropriate certificates configured) =
can't
> chat with group A. The benefit of using AH vs. ESP in this case is =
twofold.
> First, AH is less CPU intensive, and when one considers enabling it on
> all/many workstations and servers in a company, that can add up to a =
lot of
> CPU cycles. Second, since AH only signs, not encrypts, products like
> network analyzers, IDS/IPS, etc can still perform their functions.
ESP with NULL encryption only authenticates (not "signs") also. =
However, one can't tell in a context-free way that NULL is in use. If =
you're using it, though, I can't see how AH could be less expensive.
AH has been controversial for years. I've been asking folks to delete =
it since 1995. I've never succeeded... At least RFC 4301 deprecated it =
to a MAY instead of a MUST for IPsec implementors.
>=20
> Outside of some manual deployments, the only commercial product I know =
that
> offers AH based network segmentation is Microsoft's NAP:
> http://www.microsoft.com/nap=20
>=20
> Regards,
> Adam Stasiniewicz
>=20
> -----Original Message-----
> From: Jack Kohn [mailto:kohn.jack@gmail.com]=20
> Sent: Friday, November 13, 2009 6:23 PM
> To: nanog@nanog.org
> Subject: AH is pretty useless and perhaps should be deprecated
>=20
> Hi,
>=20
> Interesting discussion on the utility of Authentication Header (AH) in
> IPSecME WG.
>=20
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
>=20
> Post explaining that AH even though protecting the source and
> destination IP addresses is really not good enough.
>=20
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
>=20
> What do folks feel? Do they see themselves using AH in the future?
> IMO, ESP and WESP are good enough and we dont need to support AH any
> more ..
>=20
> Jack
>=20
>=20
>=20
--Steve Bellovin, http://www.cs.columbia.edu/~smb
