Re: Deprecation of AH header from the IPSEC tool kit

[Michael Thomas <mat@cisco.com>]

Michael Richardson writes:
 > 
 > >>>>> "itojun" == itojun  <itojun@iijlab.net> writes:
 >     >> Assume that Steve Bellovin has ocnvinced everyone that all current
 >     >> IPv6 extension headers to not benefit from AH, or carry information
 >     >> that could be independantly verified from info stored in the
 >     >> SA-table. (e.g. legitimate source addresses, pointers to
 >     >> PCBs). i.e. there is no current reason to have AH vs ESP in IPv6.
 > 
 >     itojun> the observation is incorrect.  there are extension headers that
 >     itojun> require protection from AH: mobile-ip6 headers like binding
 >     itojun> update.
 > 
 >   Yes, I know.
 > 
 >   ipngwg could say, "mobile-ip6 is not important enough to mandate AH
 > in all IPv6 end-nodes. If they want to support mobile-ip6, they'll
 > need to do AH."

   Not protecting Binding Cache Updates would relegate
   mobile v6 to the same krufty dog leg routing that
   is required in v4 mobility. I certainly would not
   support anything which made it harder to get to
   v6 style mobility, which is what the above would do.

   Whether that must be using AH is another matter.

	    Mike

---

References:

• Re: Deprecation of AH header from the IPSEC tool kit
• From: itojun@iijlab.net
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Richardson <mcr@solidum.com>

---

• Prev by Date: RE: Deprecation of AH header from the IPSEC tool kit
• Next by Date: RE: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread