Re: Re[2]: AH (without ESP) on a secure gateway

[Dan Frommer <dan@radguard.com>]

On Wed, 4 Dec 1996, Ran Atkinson wrote:

> 	I believe that ESP should continue to always imply that encryption is
> in use.  The presence/absence of encryption is the primary reason that AH is
> separate from ESP.  Were it not for the political realities of regulation of
> encryption in various locales, AH and ESP would not have been separate
> protocols in the first place.  I am aware of cases where in practice more than
> one government regulatory authority has been persuaded to handle AH export/use
> licensing with significantly less hassle BECAUSE the AH spec does not support
> encryption.
> 
> 	I am aware that many implementers of AH have in fact implemented a
> "tunnel-mode AH" (which looks like this: [ip:r1->r2][ah][ip:h1->h2][ulp],
> where r1,r2 are security gateways and h1,h2 are end nodes).  I believe that
> the best approach is to simply add a definition of this tunnel-mode AH into
> the AH base specification.  This also has the virtue of having the least
> amount of negative impact on interoperability of existing AH implementations.
> 
> Comments ?
> 
> Ran
> rja@cisco.com
> 

AH in tunnel mode is required for the above case as well as the case of
a host that implements AH (h1) talking via a gateway (r2) to a host 
behind the gateway (h2). In this case the headers would look like this: 

[ip:h1->r2][ah][ip:h1->h2][ulp]. 

Such a mode is indeed required and would ease exportability issues.

Dan Frommer
dan@radguard.com

---

References:

• Re: Re[2]: AH (without ESP) on a secure gateway
• From: Ran Atkinson <rja@cisco.com>

---

• Prev by Date: Re: Re[2]: AH (without ESP) on a secure gateway
• Next by Date: AH (without ESP) on a secure gateway
• Prev by thread: Re: Re[2]: AH (without ESP) on a secure gateway
• Next by thread: Re: AH (without ESP) on a secure gateway
• Index(es):
  • Main
  • Thread