[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some queries regarding IP security



>>>>> "shganguly" == shganguly  <shganguly@hss.hns.com> writes:

 shganguly> Hi,

 shganguly> I have a couple of issues to be clarified regarding IPsec.

 shganguly> First regarding ESP protocol. ESP provides authentication
 shganguly> as well as confidentiality. The authentication provided by
 shganguly> ESP is not as effective as the one provided by AH. It does
 shganguly> not authenticate the IP header, both in transport as well
 shganguly> as tunnel (in tunnel mode the new IP header) mode. So my
 shganguly> query is why is the feature of authentication provided for
 shganguly> in ESP, when it is there in AH which is also better than
 shganguly> the one in ESP?

I don't know all the history, but here's one view: for tunnel mode at
least, the authentication provided by ESP is sufficient.  The added
checks that AH provides then are not needed.  And ESP authentication
is much easier to do in hardware with a single pass than AH.  In
particular, if compression is used, you *cannot* do AH in the same
pass as IPCOMP/ESP.

	paul


References: