[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecation of AH header from the IPSEC tool kit

To: ipsec@lists.tislabs.com
Subject: Re: Deprecation of AH header from the IPSEC tool kit
From: KokMing <km.ang@student.qut.edu.au>
Date: Fri, 16 Jun 2000 16:49:51 +1000 (EST)
In-reply-to: <14665.30412.271672.844140@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com


snip..
>  > The real issue here is that VPN Product vendors currently dominate 
>  > the IPsec WG.  VPN vendors don't want to support AH and aren't building
>  > IPv6 products, yet they want to claim to be fully "IPsec Compliant" 
>  > (which is marketing speak; I have no clue what it really means).  
>  > In short, some of the impetus behind this proposal is to solve a 
>  > marketing problem -- most of the remainder is largely smoke-screen.  
> 
>    I see. This couldn't have anything to do with
>    header bandwidth overhead concerns, not to mention
>    the near mind-bending complexity of 2 degrees of 
>    freedom with ah/esp/transport/tunnel and its 
>    interaction with things that need to consider
>    IP headers.

Wouldn't it be better to enforce something like:
"ESP can never be used without AH", or "One must apply 
encryption before authentication".

And if I'm not mistaken, the aim of IPsec is to provide high quality
security services for IP (note: NOT VPN). Complex variations in the 
name of flexibility aren't purposeful.

This may sound harsh, but complex things don't last (look at OSI model).


Kokming Ang
ISRC
Queensland University of Technology

References:

Re: Deprecation of AH header from the IPSEC tool kit

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Deprecation of AH header from the IPSEC tool kit
Next by Date: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread