[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
>
> The question is, how many IPsec people were present?
>
The assertion was made that the current Mobile IPV6 spec uses
IPSEC in a way that just doesn't scale. AH was chosen by
Mobile IPV6 because it provides protection of outer header
information, including the bits of IPV6 options goop that carries
Mobile IPV6 binding updates. It's not *impossible* to use ESP
for this, but it's awkward.
Quite apart from the AH/ESP debate in Mobile IPV6, there exists a
rather ugly problem, in that requiring that binding updates
be protected IPV6 requires deploying IPSEC, complete with
some kind of large-scale PKI, to protect binding updates between
random strangers. From a *practical* perspective, this is a
non-starter.
There *are* folks who believe that IPSEC is just for VPNs, and in
fact that's certainly an easy and obvious starting point. There is
no necessary relationship between "AH is bad", and "IPSEC is
only for VPNs".
Follow-Ups:
References: