Re[2]: AH (without ESP) on a secure gateway

["Whelan, Bill" <bwhelan@nei.com>]

 Steve,
     
     

 >AH is
 >nominally a "transport" mode security protocol, using the terminlogy 
 >adopted for ESP in the IPSEC context.  In this mode, AH cannot be
 >used unambiguously by a pair of firewalls, because it conflicts with 
 >possible use of AH by subscriber hosts served by these firewalls.
 
 Thanks, this ambiguity is the heart of my original question.
 
 >One can address this problem by tunneling between the firewalls,
 >and using AH in the exterior IP header.
 
 I agree - AH with ESP on a secure gateway seems pretty unambiguous.
 
 >One also can achieve a similar (though not identical)  capability by 
 >using ESP in tunnel mode, but NOT electing to perform encryption.  Since 
 >ESP is being revised to be general enough to NOT requre encryption, this 
 >would address the export or import concerns cited earlier.
 
 Hmm, this might be a solution, but it seems somewhat expensive.  Would all 
 host systems providing AH need to provide ESP to handle the possibility 
 they are communicating through a gateway?
     
     
 >Steve
 
 Bill

---

Follow-Ups:

• Re[2]: AH (without ESP) on a secure gateway
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: ANNOUNCEMENT: 1997 RSA Data Security Conference
• Next by Date: Re: AH (without ESP) on a secure gateway
• Prev by thread: Re: AH (without ESP) on a secure gateway
• Next by thread: Re[2]: AH (without ESP) on a secure gateway
• Index(es):
  • Main
  • Thread