>>At 11:39 AM 5/28/2000 +1000, KokMing wrote:
>>Does anyone know, or is able to explain the reasons for AH & ESP?
>>As Neil Ferguson and Bruce Schneier wrote in 'Cryptographic Evaluation of
>>IPsec', I too, find no reasons for two protocols in the RFCs.
>
>Part of it is Historical:
>
>1) Review RFCs 1825 - 1829. Then ESP did not do packet
>authentication. For privacy and authentication, yoiu needed both AH + ESP.
No ... not exactly. Going back even further in history there was no AH. The IPsec working group was originally chartered and started the definition of a single encapsulation protocol. The flurry of IPv6 activity at the same time introduced requirements and proposals for the AH protocol.
The requirements for AH are solely for the support of IPv6. IPv4 does not need AH.
IMHO AH should never be used with IPv4. It adds extra complexity, protocol overhead, processing delays and general system design confusion. For IPv4, the AH protocol adds no tangible security benefits.
Paul
Paul A. Lambert
Director of Security Applications
CoSine Communications
1200 Bridge Parkway
Redwood City, CA 94065
PGP: E9A4 022D FB0E 7352 17E5
7D46 C0CF 6BF5 DE64 621E