[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)



On Fri, 23 Mar 2001, Jun-ichiro itojun Hagino wrote:
> 	in previous discussions, most of "death to AH" reasonning was
> 	(in my understanding) like this:
> 	- you can protect the whole packet by tunnel mode ESP...
> 	  so why bother?
> 	so i guess "death to AH" and "ipsec is for VPN only" are related.

Only if you assume that tunnel mode is useful for VPNs only.  Not true,
unless you define "VPN" very broadly indeed, as "anything that uses
tunnels".  Most people prefer a narrower definition. 

And while we think that is an excellent argument against AH -- notably, it
provides a "backstop" solution which covers us against the possibility
that some unforeseen need might someday appear -- it is not the only one. 
The crucial argument against AH is the lack of real requirements for it. 

> 	it is correct that there are certain extension headers that does not
> 	need protection, however, there are certain application that needs
> 	AH (especially with transport mode).

This is the standard claim; the question is, to what extent is it really
true?  How many of those claimed needs stand up to careful analysis?
Remember, it is not enough to show that ESP cannot meet their needs -- it
is also necessary to show that AH can, which is not always a simple thing
to verify.  (Note, for example, IESG's recently-expressed doubts about
whether the authentication requirements of Binding Updates can really be
met using AH.)

                                                          Henry Spencer
                                                       henry@spsystems.net




Follow-Ups: References: