[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deprecation of AH header from the IPSEC tool kit
>>>>> "Ben" == Ben McCann <bmccann@indusriver.com> writes:
Michael> This might be water well under the bridge, but has the
Michael> thought of having a mode to ESP which protects the outer
Michael> headers?
Ben> Aren't your goals met by using ESP _tunnel_ mode? Just tunnel
Ben> the OSPF, RIP, etc, packet from one box to the other. The
Ben> tunneled packet has an inner IP header is completely secured by
Ben> ESP. This is the header seen by OSPF, RIP, etc, once ESP
Ben> completes the authentication of the packet.
That certainly does the job. The trouble appears if someone wants to
use transport mode (perhaps to save a few bytes) and then decides that
for some reason there are IP headers worthy of protection. That's
where the messy hybrid (AH) appears.
paul
References: