[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH and flow label



Here is a message from Steve Kent who is updating the RFC 2402
"IP Authentication Header (AH)" about the flow label status.
I have put it in this list for people interested by IPsec but
who have no enough time to read the mailing list...
To summary the question is:

Is the [ipsec] WG comfortable with the status quo, i.e., NOT including the 
flow label in the ICV [integrity check value], despite the fact that it
is immutable?

Francis.Dupont@enst-bretagne.fr

PS: of course my opinion is we have to keep the status quo and
the decision is in the scope (i.e., hands?) of the ipv6 WG.
--- Begin Message ---
Francis,

I looked at RFC 3697.  It does state that AH does not protect flow 
labels, which is consistent with the old AH spec (RFC 2402). So, if 
we were to change this in the new AH spec, there would be a conflict. 
Also, the security analysis in 3697 argues that since there is no 
protection of the flow spec value, intermediate systems cannot rely 
on it and an end IPsec implementation cannot rely on it in transport 
mode.  I agree that it is unlikely that we would be able to manage 
key distribution for intermediate systems to be able to check the AH 
ICV, which supports your argument that it is not worth including it 
in the ICV computation.
However, if we choose to maintain backward compatibility with 2402, 
we need to clarify in 2402bis that this is the reason for not 
including the value in the ICV computation, as opposed to the 
current, erroneous rationale.

Is the WG comfortable with the status quo, i.e., NOT including the 
flow label in the ICV, despite the fact that it is immutable?

Steve
--- End Message ---
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------