Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit

[RJ Atkinson <rja@inet.org>]

At 01:32 16/06/00 , Radia Perlman wrote:
>Ran said:
>
> >>               A counter-example is the Source Routing header, which can
> >>      be authenticated hop-by-hop with AH ...
>
>How do you authenticate something hop-by-hop when the key is only
>known end-to-end? 

Nothing in the ESP or AH specs prevent the key from being known 
at an intermediate point.  So the assumption that the key is only
known end-to-end isn't always true.  

Kerberos turns out to be a good way to distribute keys for this 
application.  At least one implementation of ESP/AH can use Kerberos 
for key management.  (I separately hope that use of Kerberos will get
standardised in the IETF for interoperability reasons).  Several
major ISPs (e.g. UUnet) have widespread deployment of Kerberos
in their network, including in routers.

>Are you maybe assuming hop-by-hop IPSec tunnels between the
>routers listed in the source route header?

No.

Ran
rja@inet.org

---

Follow-Ups:

• Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• From: Paul Koning <pkoning@xedia.com>

References:

• Re: Deprecation of AH header from the IPSEC tool kit
• From: Radia Perlman <Radia.Perlman@East.Sun.COM>

---

• Prev by Date: Re: Deprecation of AH header from the IPSEC tool kit
• Next by Date: Re: Phase 2 IDs
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread