Merike Kaeo kaeo at merike.com
Mon May 25 16:03:19 CDT 2009

Yeah - the main issue with using ESP is that there's a trailer at end  
of packet that tells you more info to determine whether you can  
inspect the packet.  So you have to look at the end of the packet to  
see whether ESP is using encryption or null-encryption (i.e. just  
integrity protection).  Some vendors do have proprietary mechanisms  
in software for now which doesn't scale.  The work below will  
hopefully lock into a solution where hw can be built to quickly  
determine if ESP is used for integrity only.

AH is not really widely used (except for OSPFv3 since early  
implementations locked in on AH when the standard said to use IPsec  
for integrity protection).  Note that a subsequent standard now  
exists which explicitly states that ESP-Null MUST be supported and AH  
MAY be supported.  But how many folks are actually running OSPF for a  
v6 environment and using IPsec to protect the communicating peers?   
Some but not many (yet).

Personally, I'd stick with ESP.  AH complicates matters  
(configuration, nested environments when you do decide to also use  
ESP for encryption maybe later, NAT) and while is isn't officially  
deprecated vendors don't test it as much as ESP - at interoperability  
tests it's not stressed, at least the ones I've been to.  Ask your  
vendor(s) what they think of the work below and see where they stand  
with implementing it.

Be happy to answer any more questions offline.

- merike

On May 25, 2009, at 6:24 AM, Jack Kohn wrote:

> Glen,
> IPSECME WG <http://www.ietf.org/html.charters/ipsecme-charter.html>  
> at IETF
> is actually working on the exact issue that you have described  
> (unable to
> deep inspect ESP-NULL packets).
> You can look at
> draft-ietf-ipsecme-traffic-visibility-02<http://tools.ietf.org/html/ 
> draft-ietf-ipsecme-traffic-visibility-02>for
> more details.
> Jack
> On Sat, May 23, 2009 at 5:06 AM, Glen Kent <glen.kent at gmail.com>  
> wrote:
>> Yes, thats what i had meant !
>> On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow
>> <morrowc.lists at gmail.com> wrote:
>>> On Fri, May 22, 2009 at 1:04 PM, Glen Kent <glen.kent at gmail.com>  
>>> wrote:
>>>> Hi,
>>>> It is well known in the community that AH is NAT unfriendly  
>>>> while ESP
>>>> cannot
>>>> be filtered, and most firewalls would not let such packets pass.  
>>>> I am
>>>> NOT
>>> 'the content of the esp packet can't be filtered in transit' I think
>>> you mean... right?
>>>> interested in encrypting the data, but i do want origination
>>>> authentication
>>>> (Integrity Protection). Do folks in such cases use AH or ESP-NULL,
> given
>>>> that both have some issues?
>>>> Thanks,
>>>> Glen

More information about the NANOG mailing list