[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecation of AH header from the IPSEC tool kit



Radia,

>   How do you authenticate something hop-by-hop when the key is only known
> end-to-end? Are you maybe assuming hop-by-hop IPSec tunnels between the
> routers listed in the source route header?

Yes, that would be the case (there would be multiple keys, one for
each hop being protected, and "one" for end-to-end protection, if that
were also included).

Here is a picture.  Note that the Hop-by-Hop IPsec might be ESP
instead of AH; there is nothing (IMHO :-) worth protecting in the IPv6
header in this scenario (unless using the mobile IP scenario that has
been described on the list).

   <----------------------------- AH e -------------------------->
   <--- AH 1 --->   <--- ESP --->   <--- AH 2 --->  <--- AH 3 --->

                    Routing Domain A       Routing Domain B
           ...............................  ..............
+------+   :  +--------+      +--------+ :  : +--------+ :    +------+
| Host |______| Router |______| Router |______| Router |______| Host |
|  1   |   :  |   Aa   |      |   Ab   | :  : |   Bc   | :    |   2  |
+------+   :  +--------+      +--------+ :  : +--------+ :    +------+
           :.............................:  :............:
         ^                ^                ^                ^
         |                |                |                |
         |            +-------+ (Really    |                |
         |            | IPv6  |  paranoid) |                |
         |            | Aa->Ab|            |                |
         |            +-------+            |                |
         |            |  ESP  |            |                |
         |            | Aa:Ab |            |                |
     +-------+        +-------+        +-------+        +-------+
     | IPv6  |        | IPv6  |        | IPv6  |        | IPv6  |
     | H1->A |        | H1->B |        | H1->B |        | H1->H2|
     +-------+        |       |        +-------+        +-------+
Hop  | AH 1  |        |       |        | AH 2  |        | AH 3  |
by   | H1:Aa |        |       |        | Ab:Bc |        | H1:Aa |
Hop  +-------+        +-------+        +-------+        +-------+
     |Routing|        |Routing|        |Routing|        |Routing|
     |2 >B   |        |1  A   |        |1  A   |        |0  A   |
     |   H2  |        |  >H2  |        |  >H2  |        |   B   |
     +-------+        +-------+        +-------+        +-------+
End  | AH e  |        | AH e  |        | AH e  |        | AH e  |
to   | H1:H2 |        | H1:H2 |        | H1:H2 |        | H1:H2 |
End  +-------+        +-------+        +-------+        +-------+
     |TCP/UDP|        |TCP/UDP|        |TCP/UDP|        |TCP/UDP|
     +-------+        +-------+        +-------+        +-------+

Charlie


Follow-Ups: