Re: Deprecation of AH header from the IPSEC tool kit

[Paul Koning <pkoning@xedia.com>]

>>>>> "Ben" == Ben McCann <bmccann@indusriver.com> writes:

 Michael> This might be water well under the bridge, but has the
 Michael> thought of having a mode to ESP which protects the outer
 Michael> headers?

 Ben> Aren't your goals met by using ESP _tunnel_ mode? Just tunnel
 Ben> the OSPF, RIP, etc, packet from one box to the other. The
 Ben> tunneled packet has an inner IP header is completely secured by
 Ben> ESP. This is the header seen by OSPF, RIP, etc, once ESP
 Ben> completes the authentication of the packet.

That certainly does the job.  The trouble appears if someone wants to
use transport mode (perhaps to save a few bytes) and then decides that
for some reason there are IP headers worthy of protection.  That's
where the messy hybrid (AH) appears.

    paul

---

References:

• Deprecation of AH header from the IPSEC tool kit
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Ben McCann <bmccann@indusriver.com>

---

• Prev by Date: [Fwd: Deprecation of AH header from the IPSEC tool kit]
• Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread