[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: AH (without ESP) on a secure gateway



	I believe that ESP should continue to always imply that encryption is
in use.  The presence/absence of encryption is the primary reason that AH is
separate from ESP.  Were it not for the political realities of regulation of
encryption in various locales, AH and ESP would not have been separate
protocols in the first place.  I am aware of cases where in practice more than
one government regulatory authority has been persuaded to handle AH export/use
licensing with significantly less hassle BECAUSE the AH spec does not support
encryption.

	I am aware that many implementers of AH have in fact implemented a
"tunnel-mode AH" (which looks like this: [ip:r1->r2][ah][ip:h1->h2][ulp],
where r1,r2 are security gateways and h1,h2 are end nodes).  I believe that
the best approach is to simply add a definition of this tunnel-mode AH into
the AH base specification.  This also has the virtue of having the least
amount of negative impact on interoperability of existing AH implementations.

Comments ?

Ran
rja@cisco.com


Follow-Ups: References: