[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deprecation of AH header from the IPSEC tool kit
Paul Koning writes:
> Michael> What keeps nagging at me is the overhead of both AH and ESP,
> Michael> not to mention the added complexity.
>
> Michael> This might be water well under the bridge, but has the
> Michael> thought of having a mode to ESP which protects the outer
> Michael> headers?
>
> That's no help, because that is exactly the difference that makes AH
> so much harder than ESP. (Well, there's details like having the MAC
> in the header rather than the trailer. Then again, ESP puts the
> NextHeader value in the wrong place, so they're even...)
>
> The reason I like ESP authentication is precisely the fact that it
> doesn't contain all the hair needed to protect a subset of IP header
> fields.
Maybe you're misunderstanding me: if ESP had a
bit which said "I'm protecting the outside
headers too", it could be either signaled or
potentially even done on an as-needed basis
by the IPsec stack for IP headers which would
otherwise require AH. I'm all for not
protecting things that don't need protection
otherwise.
Mike
Follow-Ups:
References: