[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Deprecation of AH header from the IPSEC tool kit

To: ipsec@lists.tislabs.com
Subject: Deprecation of AH header from the IPSEC tool kit
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Wed, 14 Jun 2000 10:38:55 +0100
Cc: isis-wg@juniper.net, ospf@discuss.microsoft.com, ietf-rip@baynetworks.com
Sender: owner-ipsec@lists.tislabs.com


There has been some discussion recently on the possible deprecation of the
Authentication Header defined for 'whole-packet' authentication.  

I 'think' the decision was to leave it alone, and allow AH to wait for its
day.

>From reading the various, associated methods of securing ISIS, OSPF and
RIPV2 messages, it seems to me that AH is perfect for the protection of
these protocols.

The current HMAC-MD5 options have the following exposures that are solved
with AH:

1) no source address authentication (IP header authentication in general)
2) poor/no replay protection
3) manual keys - which restricts key length and complexity to
human-manageable keys, and makes for difficult key change procedures.

IPSEC+AH would seem to be a good choice for all control traffic exchange
between routers. If this exchange is confidential, the ESP could be used as
well.

Regards, Steve.

Follow-Ups:

Re: Deprecation of AH header from the IPSEC tool kit

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Next Bakeoff
Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
Prev by thread: Re: Next Bakeoff
Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread