[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Reasons for AH & ESP



> [snip]
> Well, if you look at IPv4 only, it doesn't make sense, agreed.
> AH's main feature is that is protects parts of the
> IP header. But in IPv4, there isn't anything interesting to
> protect.
> [snip]

you are surpising me. Are yo trying to say that a host who signs
his IPv4 header (thus his source address) using key that he negociated
with mine, and that based on some external key negociation, which is
not defined by AH but elsewhere, is the same as any spoofing host?

I agree that AH relies on the security provided by the key negociation
protocol. but then it's still good tohave AH while "controlling" and
improving key ngociation. Fr example, AH is good if my negociatio daemon
only accepts to talk to daemons having a certificate provided by some
give authority. The why not use ESP here? ebecause I simply
don't wanna pay the perf overhead when I don't need it.

Moreover, from a design viewpoint, separating authentication and
confidentiality
is a self-justified purpose.


regards,

mouss



Follow-Ups: References: