[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH and ESP Orthogonality



	 For the past several years, this WG (and others such as SIP,
	 SIPP, and IPng, and other protocol designers such as SSL)
	 strongly supported orthogonality between the Authentication
	 and Encapsulation (both privacy and compression) facilities.

	 Recently, the WG chairs (without any stimulating WG comments)
	 have tried to move the WG toward a non-orthogonal all-in-one
	 approach for ESP.

	 Last week, Ran Atkinson stood at the microphone, and stated
	 (without elaboration) that his previous support for an
	 orthogonal approach was a serious mistake".

	 I ask, what was the mistake?

While not completely worthless, ESP without both integrity protection
and replay prevention is significantly weakened in many real environments.
We therefore have a situation where ESP must be used in conjunction with
AH, and no document saying so.  Worse yet, we're paying the overhead
price for a new header twice.

I'm planning on writing an RFC explaining this, but I won't be able to
get to it till next week, most likely -- I have other writing committments
to finish up first.