[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: AH (without ESP) on a secure gateway
Steve,
>AH is
>nominally a "transport" mode security protocol, using the terminlogy
>adopted for ESP in the IPSEC context. In this mode, AH cannot be
>used unambiguously by a pair of firewalls, because it conflicts with
>possible use of AH by subscriber hosts served by these firewalls.
Thanks, this ambiguity is the heart of my original question.
>One can address this problem by tunneling between the firewalls,
>and using AH in the exterior IP header.
I agree - AH with ESP on a secure gateway seems pretty unambiguous.
>One also can achieve a similar (though not identical) capability by
>using ESP in tunnel mode, but NOT electing to perform encryption. Since
>ESP is being revised to be general enough to NOT requre encryption, this
>would address the export or import concerns cited earlier.
Hmm, this might be a solution, but it seems somewhat expensive. Would all
host systems providing AH need to provide ESP to handle the possibility
they are communicating through a gateway?
>Steve
Bill
Follow-Ups: