[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Deprecation of AH header from the IPSEC tool kit

To: Paul Koning <pkoning@xedia.com>
Subject: RE: Deprecation of AH header from the IPSEC tool kit
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Thu, 15 Jun 2000 13:38:30 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

I can see the ESP authentication is fine when tunnel mode is in use - but
for peer to peer routing protocols, transport mode seems more appropriate
and the security of IP header and options could then be a requirement.

Steve.

-----Original Message-----
From: Paul Koning [mailto:pkoning@xedia.com]
Sent: Wednesday, June 14, 2000 2:33 PM
To: Stephen.Waters@cabletron.com
Cc: ipsec@lists.tislabs.com; isis-wg@juniper.net;
ospf@discuss.microsoft.com; ietf-rip@baynetworks.com
Subject: Re: Deprecation of AH header from the IPSEC tool kit

>>>>> "Waters," == Waters, Stephen <Stephen.Waters@cabletron.com> writes:

 Waters,> There has been some discussion recently on the possible
 Waters,> deprecation of the Authentication Header defined for
 Waters,> 'whole-packet' authentication.

 Waters,> I 'think' the decision was to leave it alone, and allow AH
 Waters,> to wait for its day.

 >> From reading the various, associated methods of securing ISIS,
 >> OSPF and
 Waters,> RIPV2 messages, it seems to me that AH is perfect for the
 Waters,> protection of these protocols.

 Waters,> The current HMAC-MD5 options have the following exposures
 Waters,> that are solved with AH:

 Waters,> 1) no source address authentication (IP header
 Waters,> authentication in general) 2) poor/no replay protection 3)
 Waters,> manual keys - which restricts key length and complexity to
 Waters,> human-manageable keys, and makes for difficult key change
 Waters,> procedures.

 Waters,> IPSEC+AH would seem to be a good choice for all control
 Waters,> traffic exchange between routers. If this exchange is
 Waters,> confidential, the ESP could be used as well.

Yes, but if it's not confidential (which is the likely case) then ESP
in authentication only mode will serve just as well.

It's never been the point of any of this discussion to deprecate the
notion that authentication is useful -- the issue is whether it makes
sense to retain AH when ESP does the job with significantly less
hassle.

   paul

Follow-Ups:

RE: Deprecation of AH header from the IPSEC tool kit

From: Henry Spencer <henry@spsystems.net>

Prev by Date: I-D ACTION:draft-ietf-ipsec-doi-tc-mib-03.txt
Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
Next by thread: RE: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread