[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: AH (without ESP) on a secure gateway
On Wed, 4 Dec 1996, Ran Atkinson wrote:
> I believe that ESP should continue to always imply that encryption is
> in use. The presence/absence of encryption is the primary reason that AH is
> separate from ESP. Were it not for the political realities of regulation of
> encryption in various locales, AH and ESP would not have been separate
> protocols in the first place. I am aware of cases where in practice more than
> one government regulatory authority has been persuaded to handle AH export/use
> licensing with significantly less hassle BECAUSE the AH spec does not support
> encryption.
>
> I am aware that many implementers of AH have in fact implemented a
> "tunnel-mode AH" (which looks like this: [ip:r1->r2][ah][ip:h1->h2][ulp],
> where r1,r2 are security gateways and h1,h2 are end nodes). I believe that
> the best approach is to simply add a definition of this tunnel-mode AH into
> the AH base specification. This also has the virtue of having the least
> amount of negative impact on interoperability of existing AH implementations.
>
> Comments ?
>
> Ran
> rja@cisco.com
>
AH in tunnel mode is required for the above case as well as the case of
a host that implements AH (h1) talking via a gateway (r2) to a host
behind the gateway (h2). In this case the headers would look like this:
[ip:h1->r2][ah][ip:h1->h2][ulp].
Such a mode is indeed required and would ease exportability issues.
Dan Frommer
dan@radguard.com
References: