[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH? (was: Reasons for AH & ESP )
> Mohan Parthasarathy writes:
> > Mobile IPv6 has introduced new IPv6 destination options which requires
> > the use of AH. Section 4.4 of draft-ietf-mobileip-ipv6-12.txt
> > explains the IPsec requirements. (June 8th is the deadline for
> > any comments. It is to become a proposed standard). It specifically
> > says ESP can't be used.
>
> Is there any particular reason why the binding cache
> update messages in the destination options cannot
> follow rather than precede an ESP header? It doesn't
> look to me like there is any reason to keep destination
> options in the clear, in which case ESP would work
> fine.
>
Binding update messages itself can appear after AH/ESP header.
But when used with HOME address option it should appear
before. Earlier revision of this draft had the home address option
after AH/ESP header. I don't know what made them change to put before
the AH/ESP header. Something relevant to this can be seen
in the following discussion of the ipng archives :
http://www.wcug.wwu.edu/lists/ipng/199906/msg00042.html
But still one could argue that AH still protects the CoA present
in the IPv6 header's source address field. (This can still be
overcome by using yet another "alternate-care-of-address" option.
This is not a MUST/SHOULD in the draft). Why is it that the
protection offered by AH to the IPv6 header's source address
field is not important ? At least i can see it useful in
this case.
-mohan
Follow-Ups:
References: