nanog mailing list archives
Re: AH or ESP
From: Merike Kaeo <kaeo () merike com>
Date: Mon, 25 May 2009 14:03:19 -0700
Yeah - the main issue with using ESP is that there's a trailer at end of packet that tells you more info to determine whether you can inspect the packet. So you have to look at the end of the packet to see whether ESP is using encryption or null-encryption (i.e. just integrity protection). Some vendors do have proprietary mechanisms in software for now which doesn't scale. The work below will hopefully lock into a solution where hw can be built to quickly determine if ESP is used for integrity only.
AH is not really widely used (except for OSPFv3 since early implementations locked in on AH when the standard said to use IPsec for integrity protection). Note that a subsequent standard now exists which explicitly states that ESP-Null MUST be supported and AH MAY be supported. But how many folks are actually running OSPF for a v6 environment and using IPsec to protect the communicating peers? Some but not many (yet).
Personally, I'd stick with ESP. AH complicates matters (configuration, nested environments when you do decide to also use ESP for encryption maybe later, NAT) and while is isn't officially deprecated vendors don't test it as much as ESP - at interoperability tests it's not stressed, at least the ones I've been to. Ask your vendor(s) what they think of the work below and see where they stand with implementing it.
Be happy to answer any more questions offline. - merike On May 25, 2009, at 6:24 AM, Jack Kohn wrote:
Glen,IPSECME WG <http://www.ietf.org/html.charters/ipsecme-charter.html> at IETF is actually working on the exact issue that you have described (unable todeep inspect ESP-NULL packets). You can look atdraft-ietf-ipsecme-traffic-visibility-02<http://tools.ietf.org/html/ draft-ietf-ipsecme-traffic-visibility-02>formore details. JackOn Sat, May 23, 2009 at 5:06 AM, Glen Kent <glen.kent () gmail com> wrote:Yes, thats what i had meant ! On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow <morrowc.lists () gmail com> wrote:On Fri, May 22, 2009 at 1:04 PM, Glen Kent <glen.kent () gmail com> wrote:Hi,It is well known in the community that AH is NAT unfriendly while ESPcannotbe filtered, and most firewalls would not let such packets pass. I amNOT'the content of the esp packet can't be filtered in transit' I think you mean... right?interested in encrypting the data, but i do want origination authentication (Integrity Protection). Do folks in such cases use AH or ESP-NULL,giventhat both have some issues? Thanks, Glen
Current thread:
- AH or ESP Glen Kent (May 22)
- Re: AH or ESP Christopher Morrow (May 22)
- Re: AH or ESP Glen Kent (May 22)
- <Possible follow-ups>
- Re: AH or ESP Jack Kohn (May 25)
- Re: AH or ESP Merike Kaeo (May 25)
- Re: AH or ESP Jack Kohn (May 25)
- Re: AH or ESP Glen Kent (May 25)
- Re: AH or ESP Merike Kaeo (May 25)
- Re: AH or ESP Jack Kohn (May 25)
- Re: AH or ESP Merike Kaeo (May 25)
- Re: AH or ESP Randy Bush (May 26)
- RE: AH or ESP Tony Hain (May 26)
- Re: AH or ESP Roland Dobbins (May 26)
- Re: AH or ESP Nathan Ward (May 26)
- Re: AH or ESP Dave Israel (May 26)
- Re: AH or ESP Merike Kaeo (May 25)
- Re: AH or ESP Christopher Morrow (May 22)