[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: eliminate AH

To: "William Allen Simpson" <wsimpson@greendragon.com>
Subject: Re: eliminate AH
From: Matt Thomas <matt.thomas@altavista-software.com>
Date: Thu, 22 May 1997 10:31:28 -0400
Cc: ipsec@tis.com
In-Reply-To: <5925.wsimpson@greendragon.com>
Sender: owner-ipsec@ex.tis.com

At 04:24 AM 5/22/97 GMT, William Allen Simpson wrote:

>I don't want 2 different ways to authenticate.  It's too complicated.

I'd rather not have two methods as well.

>We only need one way, for all the reasons given by Steve in his earlier
>message.  If we have it in ESP, and cannot agree on when to use it and
>when not, then let's discard AH.  Simplify.

Or simply define AH as encryptionless ESP.  (e.g. the processing rules
are identical for both execpt that if you are using null-encryption
the protocol field is AH else it's ESP).  This does. however, mean that
IPv6 routing headers and hop-by-hop options can not be authenticated.
(the destination node options can be covered by placing them after the
AH/ESP; this technique should work for the Mobile IPv6 routing header
as well since it's transmitted in "final form" by the mobile host).

-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

References:

eliminate AH

From: "William Allen Simpson" <wsimpson@greendragon.com>

Prev by Date: Re: eliminate AH
Next by Date: Re: Empty encryption
Prev by thread: Re: eliminate AH
Next by thread: Re: eliminate AH
Index(es):
- Main
- Thread