Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit

[RJ Atkinson <rja@inet.org>]

At 14:07 14/06/00 , Ben McCann wrote:

>Aren't your goals met by using ESP _tunnel_ mode? 

No.  ESP does not and can not authenticate the IP headers 
and IP-layer options.   If the options are in a tunneled
packet, the outer header's options (i.e. the ones actually used)
are still unprotected.

AH and ESP do not have the same security properties.  The
things that most folks dislike about AH would be similarly
annoying if there were an ESP variant that protected the
outer header.

Ran
rja@inet.org

---

Follow-Ups:

• Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>

References:

• Deprecation of AH header from the IPSEC tool kit
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Ben McCann <bmccann@indusriver.com>

---

• Prev by Date: RE: Deprecation of AH header from the IPSEC tool kit
• Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread