Re[2]: AH (without ESP) on a secure gateway

[Stephen Kent <kent@bbn.com>]

Bill,

	You were absoluitely right to raise this issue; the debate that
ensued, on both sides, clearly showed the need for the discussion.  I think
the architecture and AH specs have not been clear about this.  In fact, I
am willing to bet that my re-write didn't get this right either!  Contrary
to the suggestion made by Brian McKenney, I do think this is a standards
issue.  If two security gateways (to use the terminology in the IPSEC
documents) choose to use AH in transport mode between themselves, to create
an authentticated and integrity protected securiry association for all
traffic between the sites, this will impinge on the ability of subscriber
hosts served by these gatewatys to make use of AH in transport mode.  Thus,
to avoid deployment of security gateways that can be configured in a
fashion that would cause such problems, and because there are alternative
IPSEC configurations that will achieve the desired security goals, I think
it imperative that the standards prohibit this use of AH.

Steve

---

References:

• Re[2]: AH (without ESP) on a secure gateway
• From: "Whelan, Bill" <bwhelan@nei.com>

---

• Prev by Date: Re: ISAKMP DELETE payload
• Next by Date: Re: ISAKMP DELETE payload
• Prev by thread: Re[2]: AH (without ESP) on a secure gateway
• Next by thread: Re: AH (without ESP) on a secure gateway
• Index(es):
  • Main
  • Thread