[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: eliminate AH -- unanimous

To: Steven Bellovin <smb@research.att.com>
Subject: Re: eliminate AH -- unanimous
From: "Perry E. Metzger" <perry@piermont.com>
Date: Sat, 31 May 1997 17:02:49 -0400
cc: ipsec@tis.com, "William Allen Simpson" <wsimpson@greendragon.com>, kent@bbn.com
In-reply-to: Your message of "Fri, 30 May 1997 15:27:12 EDT." <199705301927.PAA23446@raptor.research.att.com>
Reply-To: perry@piermont.com
Sender: owner-ipsec@ex.tis.com


Steven Bellovin writes:
> Ever since Bill posted his straw poll, I've been bothered by an
> intuitive feeling that AH and encryptionless ESP were not equivalent.
> This afternoon, I finally realized the crucial difference:  AH can be
> deleted or ignored in a context-independent way.  Consider, for
> example, a host that wishes to ignore authentication for the moment, or
> a firewall that wants to look at port numbers, or a network traffic
> monitor that wants to see what ports are being used.  With AH, this is
> easy -- skip the number of words denoted by the length field, plug in
> the proper protocol id, and carry on.  This can't be done with ESP
> without knowledge of the security association.

That was why we originally had the distinction when the current
formats originated at the Toronto meeting.


Perry

References:

Re: eliminate AH -- unanimous

From: Steven Bellovin <smb@research.att.com>

Prev by Date: Re: New draft -- IPSEC AH
Prev by thread: Re: eliminate AH -- unanimous
Next by thread: Re: eliminate AH -- unanimous
Index(es):
- Main
- Thread