RE: Deprecation of AH header from the IPSEC tool kit

[Paul Koning <pkoning@xedia.com>]

>>>>> "Waters," == Waters, Stephen <Stephen.Waters@cabletron.com> writes:

 Waters,> Although all sorts of attacks are possible, it is good to
 Waters,> know when they are happening.  With ESP-tunnel mode, the out
 Waters,> header is exposed to various DOS attacks - like messing with
 Waters,> the TTL, frag bits etc.

 Waters,> For ESP-transport mode, the header and options fields are
 Waters,> exposed.

 Waters,> I think these are good reasons to use AH,...

AH won't help with attacks on TTL or frag bits because those are
mutable fields, they aren't authenticated because they cannot be.

Yes, with ESP transport mode the header and option fields are not
authenticated.  If that matters it would be one thing.  It doesn't
matter for IPv4.  For IPv6 it may matter in a very limited set of
cases, though I'll want to look further before I'm convinced.

       paul

---

References:

• RE: Deprecation of AH header from the IPSEC tool kit
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

---

• Prev by Date: RE: Deprecation of AH header from the IPSEC tool kit
• Next by Date: RE: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: RE: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread