[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: eliminate AH -- unanimous
Steven Bellovin writes:
> Ever since Bill posted his straw poll, I've been bothered by an
> intuitive feeling that AH and encryptionless ESP were not equivalent.
> This afternoon, I finally realized the crucial difference: AH can be
> deleted or ignored in a context-independent way. Consider, for
> example, a host that wishes to ignore authentication for the moment, or
> a firewall that wants to look at port numbers, or a network traffic
> monitor that wants to see what ports are being used. With AH, this is
> easy -- skip the number of words denoted by the length field, plug in
> the proper protocol id, and carry on. This can't be done with ESP
> without knowledge of the security association.
That was why we originally had the distinction when the current
formats originated at the Toronto meeting.
Perry
References: