[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Deprecation of AH header from the IPSEC tool kit
There has been some discussion recently on the possible deprecation of the
Authentication Header defined for 'whole-packet' authentication.
I 'think' the decision was to leave it alone, and allow AH to wait for its
day.
>From reading the various, associated methods of securing ISIS, OSPF and
RIPV2 messages, it seems to me that AH is perfect for the protection of
these protocols.
The current HMAC-MD5 options have the following exposures that are solved
with AH:
1) no source address authentication (IP header authentication in general)
2) poor/no replay protection
3) manual keys - which restricts key length and complexity to
human-manageable keys, and makes for difficult key change procedures.
IPSEC+AH would seem to be a good choice for all control traffic exchange
between routers. If this exchange is confidential, the ESP could be used as
well.
Regards, Steve.
Follow-Ups: