[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Deprecation of AH header from the IPSEC tool kit




Although all sorts of attacks are possible, it is good to know when they are
happening.
With ESP-tunnel mode, the out header is exposed to various DOS attacks -
like messing with the TTL, frag bits etc. 

For ESP-transport mode, the header and options fields are exposed.

I think these are good reasons to use AH, or to add a variant of ESP that
authenticates the whole packet - hopefully not encrypting the whole packet
:)

Steve.
 


In IPv4, a transport mode security protocol header
   appears immediately after the IP header and any options, and before
   any higher layer protocols (e.g., TCP or UDP). 

-----Original Message-----
From: Michael Richardson [mailto:mcr@solidum.com]
Sent: Wednesday, June 14, 2000 9:23 PM
To: mat@cisco.com; Stephen.Waters@cabletron.com;
ipsec@lists.tislabs.com; isis-wg@juniper.net;
ospf@discuss.microsoft.com; ietf-rip@baynetworks.com
Subject: Re: Deprecation of AH header from the IPSEC tool kit 



>>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:
    Michael> Maybe you're misunderstanding me: if ESP had a bit which said
    Michael> "I'm protecting the outside headers too", it could be either
    Michael> signaled or potentially even done on an as-needed basis by the
    Michael> IPsec stack for IP headers which would otherwise require AH.
I'm
    Michael> all for not protecting things that don't need protection
    Michael> otherwise.

  The point that Steve Bellovin keeps making, and which he has written
about,
is that AH does not provide much more in the way of authentication that
ESP does not (at least for IPv4). The outer headers are all either
irrelevant, or can be derived from the SPD, so you don't have to trust them.

  I believe that there are other things that AH provides (like the 
guarantee that the contents are not encrypted and therefore can be audited),
and things that will be defined in IPv6-extension land that will make AH
a useful thing to keep in the spec, just not MUST it.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows
faster<tm>
 Personal:
http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com






Follow-Ups: