[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: eliminate AH -- unanimous

To: ipsec@tis.com
Subject: Re: eliminate AH -- unanimous
From: Steven Bellovin <smb@research.att.com>
Date: Fri, 30 May 1997 15:27:12 -0400
cc: "William Allen Simpson" <wsimpson@greendragon.com>, kent@bbn.com
Sender: owner-ipsec@ex.tis.com

Ever since Bill posted his straw poll, I've been bothered by an
intuitive feeling that AH and encryptionless ESP were not equivalent.
This afternoon, I finally realized the crucial difference:  AH can be
deleted or ignored in a context-independent way.  Consider, for
example, a host that wishes to ignore authentication for the moment, or
a firewall that wants to look at port numbers, or a network traffic
monitor that wants to see what ports are being used.  With AH, this is
easy -- skip the number of words denoted by the length field, plug in
the proper protocol id, and carry on.  This can't be done with ESP
without knowledge of the security association.

Now -- whether or not we want to enable any of these abilities is a
separate issue.  But the distinction does exist.

Follow-Ups:

Re: eliminate AH -- unanimous

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: eliminate AH -- unanimous
Next by Date: r.e. AH used by Mobile IP
Prev by thread: Re: eliminate AH -- unanimous
Next by thread: Re: eliminate AH -- unanimous
Index(es):
- Main
- Thread