Re: Deprecation of AH header from the IPSEC tool kit

[RJ Atkinson <rja@inet.org>]

At 20:37 15/06/00 , Michael Thomas wrote:
>    I see. This couldn't have anything to do with
>    header bandwidth overhead concerns, 

         Overhead is about the same for ESP-Auth-only and AH.

>not to mention the near mind-bending complexity of 2 degrees of 
>    freedom with ah/esp/transport/tunnel 

         So use ESP-with-auth-and-encrypt to build VPNs
-- if you don't need the properties available only with AH.

         The NRL 4.4-BSD code for ESP and AH was simple, tidy, and
written in about 3 weeks by an undergraduate EE student
(from the old RFCs).  It worked.  It included both transport
and tunnel mode and multiple algorithms.  A fair chunk of
the coding time was spent dealing with mbuf-isms not present
in IOS.  The NRL code had PF_KEY for key management, but did
not have ISAKMP/IKE.  

         I strongly disagree that it is "near mind-bending complexity", 
using the old NRL code as an existence proof of this (both in code size 
and in terms of the time it originally took to code up back in 1995).

>and its 
>    interaction with things that need to consider
>    IP headers.

         If you really want to simplify an IPsec implementation,
there are better targets out there than AH.

Ran
rja@inet.org

---

References:

• Re: Deprecation of AH header from the IPSEC tool kit
• From: RJ Atkinson <rja@inet.org>
• Re: Deprecation of AH header from the IPSEC tool kit
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Next by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread