Re: Death to AH? (was: Reasons for AH & ESP )

[Mohan Parthasarathy <mohanp@locked.eng.sun.com>]

> In message <200006022050.QAA17398@solidum.com>, Michael Richardson writes:
> 
> >
> >  I believe that the decision as to MAY/SHOULD/MUST for IPv6 should be left to
> > ipngwg.
> 
> No -- they're not security folks, for the most part.  (There are 
> certainly exceptions, including Ran Atkinson.)  The decision needs to 
> be made jointly, based on headers devised by ipngwg and analyzed for 
> security properties by ipsecwg.
> 
Mobile IPv6 has introduced new IPv6 destination options which requires
the use of AH. Section 4.4 of draft-ietf-mobileip-ipv6-12.txt
explains the IPsec requirements. (June 8th is the deadline for
any comments. It is to become a proposed standard). It specifically
says ESP can't be used.

When a mobile node is away from home, it sends binding
updates (destination option) to Home agents/correspondent nodes
indicating its new location. Binding updates MUST be accompanied
by the Home address option (another destination option).
In this case AH covers both the care of address (current location
of the mobile node) pointed by the IPv6 header's source address and
the home address present in the home address option. How do we
protect this using ESP-NULL-AH ? How do you protect both the care
of address and the Home address ?

-mohan

---

Follow-Ups:

• Re: Death to AH? (was: Reasons for AH & ESP )
• From: Michael Thomas <mat@cisco.com>

References:

• Re: Death to AH? (was: Reasons for AH & ESP )
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: Query on cookies - RFC 2408
• Next by Date: Re: Death to AH? (was: Reasons for AH & ESP )
• Prev by thread: Re: Death to AH? (was: Reasons for AH & ESP )
• Next by thread: Re: Death to AH? (was: Reasons for AH & ESP )
• Index(es):
  • Main
  • Thread