[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Reasons for AH & ESP



Title: RE: Reasons for AH & ESP


>>At 11:39 AM 5/28/2000 +1000, KokMing wrote:
>>Does anyone know, or is able to explain the reasons for AH & ESP?
>>As Neil Ferguson and Bruce Schneier wrote in 'Cryptographic Evaluation of
>>IPsec', I too, find no reasons for two protocols in the RFCs.
>
>Part of it is Historical:
>
>1)      Review RFCs 1825 - 1829.  Then ESP did not do packet
>authentication.  For privacy and authentication, yoiu needed both AH + ESP.

No ... not exactly.  Going back even further in history there was no AH.  The IPsec working group was originally chartered and started the definition of a single encapsulation protocol.  The flurry of IPv6 activity at the same time introduced requirements and proposals for the AH protocol.

The requirements for AH are solely for the support of IPv6.  IPv4 does not need AH. 

IMHO AH should never be used with IPv4.  It adds extra complexity, protocol overhead, processing delays and general system design confusion. For IPv4, the AH protocol adds no tangible security benefits.

Paul



Paul A. Lambert
Director of Security Applications
CoSine Communications
1200 Bridge Parkway
Redwood City, CA 94065

PGP: E9A4 022D FB0E 7352 17E5
         7D46 C0CF 6BF5 DE64 621E

 

Paul