[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: Death to AH (was Re: SA identification)
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 22 Mar 2001 16:40:49 -0600
Cc: Ari Huttunen <Ari.Huttunen@F-Secure.com>, Henry Spencer <henry@spsystems.net>, IP Security List <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

In message <200103222151.f2MLpVA44060@givry.rennes.enst-bretagne.fr>, Francis D
upont writes:
> In your previous mail you wrote:
>
>   When there was discussion about why AH at all, the only real reason that
>   I can recollect was that Mobile-IPv6 uses it to protect Binding Updates.
>   Well, guess what, AH doesn't really work for them either, as witnessed
>   in the WG meeting today.
>   
>=> Is this opinion "IPsec is for VPN only" the opinion of the majority
>of the IPsec WG? I know this yours, Jeff's and Henry's too...
>And of course the current market is at 99% in VPNs.
>

I don't agree that IPsec is only for VPNs.  I have some projects going 
that rely on transport-mode IPsec, and the advent of Windows 2000, 
Solaris 2.8, and IPsec on NIC cards will make them much more feasible.

But host-to-host versus VPN is a separate issue than the (desired) life 
expectancy of AH.  I won't bother restating my opinions on that subject.

		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: RE: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread