[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
>>>>> "RJ" == RJ Atkinson <rja@inet.org> writes:
RJ> At 14:07 14/06/00 , Ben McCann wrote:
>> Aren't your goals met by using ESP _tunnel_ mode?
RJ> No. ESP does not and can not authenticate the IP headers and
RJ> IP-layer options. If the options are in a tunneled packet, the
RJ> outer header's options (i.e. the ones actually used) are still
RJ> unprotected.
I believe you missed the point of the proposal.
The discussion on AH has been around transport mode. I haven't seen
any argument at all that touches on AH in tunnel mode. After all, the
arguments (IP options, authenticating IP header content) don't apply
to communication between security gateways.
So the point is this: currently there are some cases where people feel
they want to use AH in transport mode, the reason for AH being that
there supposedly are headers or options that require strong integrity.
Clearly, you get the same integrity -- or rather, more of it and more
easily -- by wrapping the to-be-protected packet in an IPsec tunnel.
Since the fields requiring protection are at that point in the INNER
header, not the outer header, they are indeed protected if ESP is
used.
paul
Follow-Ups:
References: