[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Deprecation of AH header from the IPSEC tool kit
I can see the ESP authentication is fine when tunnel mode is in use - but
for peer to peer routing protocols, transport mode seems more appropriate
and the security of IP header and options could then be a requirement.
Steve.
-----Original Message-----
From: Paul Koning [mailto:pkoning@xedia.com]
Sent: Wednesday, June 14, 2000 2:33 PM
To: Stephen.Waters@cabletron.com
Cc: ipsec@lists.tislabs.com; isis-wg@juniper.net;
ospf@discuss.microsoft.com; ietf-rip@baynetworks.com
Subject: Re: Deprecation of AH header from the IPSEC tool kit
>>>>> "Waters," == Waters, Stephen <Stephen.Waters@cabletron.com> writes:
Waters,> There has been some discussion recently on the possible
Waters,> deprecation of the Authentication Header defined for
Waters,> 'whole-packet' authentication.
Waters,> I 'think' the decision was to leave it alone, and allow AH
Waters,> to wait for its day.
>> From reading the various, associated methods of securing ISIS,
>> OSPF and
Waters,> RIPV2 messages, it seems to me that AH is perfect for the
Waters,> protection of these protocols.
Waters,> The current HMAC-MD5 options have the following exposures
Waters,> that are solved with AH:
Waters,> 1) no source address authentication (IP header
Waters,> authentication in general) 2) poor/no replay protection 3)
Waters,> manual keys - which restricts key length and complexity to
Waters,> human-manageable keys, and makes for difficult key change
Waters,> procedures.
Waters,> IPSEC+AH would seem to be a good choice for all control
Waters,> traffic exchange between routers. If this exchange is
Waters,> confidential, the ESP could be used as well.
Yes, but if it's not confidential (which is the likely case) then ESP
in authentication only mode will serve just as well.
It's never been the point of any of this discussion to deprecate the
notion that authentication is useful -- the issue is whether it makes
sense to retain AH when ESP does the job with significantly less
hassle.
paul
Follow-Ups: