Re: Deprecation of AH header from the IPSEC tool kit

[Michael Richardson <mcr@solidum.com>]

>>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:
    Michael> Paul Koning writes:
    >> It's never been the point of any of this discussion to deprecate the
    >> notion that authentication is useful -- the issue is whether it makes
    >> sense to retain AH when ESP does the job with significantly less
    >> hassle.

    Michael> What keeps nagging at me is the overhead of both AH and ESP, not
    Michael> to mention the added complexity.

  If two routers need privacy and authenticity, they can use end-to-end ESP,
as they can get strong origin authentication by virtue of the integrity
check succeeding in the ESP. Don't trust the source IP, rather take the
appropriate source IP from the SA to look up the appropriate PCB for the
TCP/UDP session you are protecting. 

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com

---

References:

• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: RE: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread