Questions on AH and ESP for IPv4

[Karl Fox <karl@MorningStar.Com>]

Robert Glenn writes:
> Page 2 of the RFC1826 says "Also, Path MTU Discovery MUST be used when
> intermediate authentication of the Authentication Header is desired and
> IPv4 is in use because with this method it is not possible to
> authenticate a fragment of a packet [MD90] [Kno93]".
...
> I propose that the sentence on page 8 should be chopped
> and on page 2 it should read:  "Also, Path MTU Discovery SHOULD be used
> in conjunction with the Authentication header in IPv4 hosts and MUST be
> used when intermediate authentication of the Authentication Header is
> desired in IPv4 routers because with this method it is not possible to
> authenticate a fragment of a packet [MD90] [Kno93]"

Please don't make this change, as it would invalidate my
implementation, which always encapsulates a packet to be authenticated
in IP-in-IP (ip_p=4) before adding the AH.  It doesn't need Path MTU
Discovery, and it works just fine.

> Until PMTU is better deployed, would it be valuable to have either
> an AH Tunnel mode or a more generic IPSEC Tunnel mode?

An AH tunnel mode does exist -- simply do as I described above.
-- 
Karl Fox, servant of God, employee of Morning Star Technologies +1 800 558 7827
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221           +1 614 451 1883

---

References:

• Questions on AH and ESP for IPv4
• From: Robert Glenn <glenn@snad.ncsl.nist.gov>

---

• Prev by Date: Re: Photuris // entities
• Next by Date: Re: Questions on AH and ESP for IPv4
• Prev by thread: Questions on AH and ESP for IPv4
• Next by thread: Re: Questions on AH and ESP for IPv4
• Index(es):
  • Main
  • Thread