[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deprecation of AH header from the IPSEC tool kit
Radia,
> How do you authenticate something hop-by-hop when the key is only known
> end-to-end? Are you maybe assuming hop-by-hop IPSec tunnels between the
> routers listed in the source route header?
Yes, that would be the case (there would be multiple keys, one for
each hop being protected, and "one" for end-to-end protection, if that
were also included).
Here is a picture. Note that the Hop-by-Hop IPsec might be ESP
instead of AH; there is nothing (IMHO :-) worth protecting in the IPv6
header in this scenario (unless using the mobile IP scenario that has
been described on the list).
<----------------------------- AH e -------------------------->
<--- AH 1 ---> <--- ESP ---> <--- AH 2 ---> <--- AH 3 --->
Routing Domain A Routing Domain B
............................... ..............
+------+ : +--------+ +--------+ : : +--------+ : +------+
| Host |______| Router |______| Router |______| Router |______| Host |
| 1 | : | Aa | | Ab | : : | Bc | : | 2 |
+------+ : +--------+ +--------+ : : +--------+ : +------+
:.............................: :............:
^ ^ ^ ^
| | | |
| +-------+ (Really | |
| | IPv6 | paranoid) | |
| | Aa->Ab| | |
| +-------+ | |
| | ESP | | |
| | Aa:Ab | | |
+-------+ +-------+ +-------+ +-------+
| IPv6 | | IPv6 | | IPv6 | | IPv6 |
| H1->A | | H1->B | | H1->B | | H1->H2|
+-------+ | | +-------+ +-------+
Hop | AH 1 | | | | AH 2 | | AH 3 |
by | H1:Aa | | | | Ab:Bc | | H1:Aa |
Hop +-------+ +-------+ +-------+ +-------+
|Routing| |Routing| |Routing| |Routing|
|2 >B | |1 A | |1 A | |0 A |
| H2 | | >H2 | | >H2 | | B |
+-------+ +-------+ +-------+ +-------+
End | AH e | | AH e | | AH e | | AH e |
to | H1:H2 | | H1:H2 | | H1:H2 | | H1:H2 |
End +-------+ +-------+ +-------+ +-------+
|TCP/UDP| |TCP/UDP| |TCP/UDP| |TCP/UDP|
+-------+ +-------+ +-------+ +-------+
Charlie
Follow-Ups: