Re: Deprecation of AH header from the IPSEC tool kit

[Paul Koning <pkoning@xedia.com>]

>>>>> "Charles" == Charles Lynn <clynn@bbn.com> writes:

 Charles> Radia,
 >> How do you authenticate something hop-by-hop when the key is only
 >> known end-to-end? Are you maybe assuming hop-by-hop IPSec tunnels
 >> between the routers listed in the source route header?

 Charles> Yes, that would be the case (there would be multiple keys,
 Charles> one for each hop being protected, and "one" for end-to-end
 Charles> protection, if that were also included).

I suppose that's possible in some hypothetical security protocol.  It
doesn't even come close to anything in the IPsec architecture, though.
There are many reasons for that.

For example, IPsec is a two party protocol, applying protection
between the two endpoints of a conversation.  

Second, if it wasn't already obvious from looking at IPsec, it becomes
highly obvious when you look at IKE.

Third, AH (RFC 2402) explicitly states that source route headers are
NOT protected by AH.

Take a look at the list of options protected by AH, as stated in
appendix A of the RFC.  That list is surprisingly small and includes
none of the well-known options (to the extent that any option can
qualify for that designation).

---

References:

• Re: Deprecation of AH header from the IPSEC tool kit
• From: Charles Lynn <clynn@bbn.com>

---

• Prev by Date: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• Next by Date: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
• Prev by thread: Re: Deprecation of AH header from the IPSEC tool kit
• Next by thread: RE: Deprecation of AH header from the IPSEC tool kit
• Index(es):
  • Main
  • Thread