[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecation of AH header from the IPSEC tool kit



>>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:

 Michael> Paul Koning writes:
 >> It's never been the point of any of this discussion to deprecate
 >> the notion that authentication is useful -- the issue is whether
 >> it makes sense to retain AH when ESP does the job with
 >> significantly less hassle.

 Michael> What keeps nagging at me is the overhead of both AH and ESP,
 Michael> not to mention the added complexity.

 Michael> This might be water well under the bridge, but has the
 Michael> thought of having a mode to ESP which protects the outer
 Michael> headers? 

That's no help, because that is exactly the difference that makes AH
so much harder than ESP.  (Well, there's details like having the MAC
in the header rather than the trailer.  Then again, ESP puts the
NextHeader value in the wrong place, so they're even...)

The reason I like ESP authentication is precisely the fact that it
doesn't contain all the hair needed to protect a subset of IP header
fields.

	paul


Follow-Ups: References: