[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH (without ESP) on a secure gateway

To: ipsec@tis.com
Subject: AH (without ESP) on a secure gateway
From: "Whelan, Bill" <bwhelan@nei.com>
Date: Mon, 25 Nov 96 18:59:16 EST
Sender: owner-ipsec@ex.tis.com

     Last month there was a question regarding ESP and AH on a secure 
     gateway as in the following model.

     
       secure                 (untrusted)         secure
       hostA  gatewayA---------------------------gatewayB  hostB
        |      |                                     |      |
       ----------                                   -----------
      (trusted subnet)                             (trusted subnet)
     
     
     My question is whether AH on a secure gateway even makes sense at all 
     if ESP is not being performed.
     
     Consider hostA sending a packet to hostB.  If gatewayA places an AH on 
     the packet, it would appear as if it was authenticated by hostA, not a 
     good idea in my mind.
     
     How do other secure gateway implementations handle this situation?
     
     Bill Whelan

Follow-Ups:

Re: AH (without ESP) on a secure gateway

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Documents Approved at last IESG Telechat
Next by Date: I-D ACTION:draft-ietf-ipsec-isakmp-06.txt, .ps
Prev by thread: Documents Approved at last IESG Telechat
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread