[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reasons for AH & ESP



At 11:39 AM 5/28/2000 +1000, KokMing wrote:

>Does anyone know, or is able to explain the reasons for AH & ESP?
>As Neil Ferguson and Bruce Schneier wrote in 'Cryptographic Evaluation of
>IPsec', I too, find no reasons for two protocols in the RFCs.

Part of it is Historical:

1)      Review RFCs 1825 - 1829.  Then ESP did not do packet 
authentication.  For privacy and authentication, yoiu needed both AH + ESP.

2)      Early reworking of ESP, adding authentication (after the Danver's 
IETF) did not have a mode with authentication and no privacy.  This only 
came about when I convinced Rob Glenn to write the NULL transform draft at 
the IPsec workshop in Raleigh NC (Workshop #5).

During standards development, it was of greater concern to get things right 
than to argue what to prune.  There where some back then, that valued AH 
over ESP NULL for export reasons, for example.

Then there is the IPv6 concern.  AH DOES offer header protection for IPv6 
that ESP cannot provide.

Hope this helps some.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



Follow-Ups: References: