[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: Henry Spencer <henry@spsystems.net>
Subject: Re: Death to AH (was Re: SA identification)
From: "Marcus Leech" <mleech@nortelnetworks.com>
Date: Thu, 22 Mar 2001 22:34:43 -0500
CC: Francis Dupont <Francis.Dupont@enst-bretagne.fr>, IP Security List <ipsec@lists.tislabs.com>
Organization: Not Terribly
References: <Pine.BSI.3.91.1010322192529.17430G-100000@spsystems.net>
Reply-To: "Marcus Leech" <mleech@nortelnetworks.com>
Sender: owner-ipsec@lists.tislabs.com


> 
> The question is, how many IPsec people were present?
> 
The assertion was made that the current Mobile IPV6 spec uses
  IPSEC in a way that just doesn't scale.  AH was chosen by
  Mobile IPV6 because it provides protection of outer header
  information, including the bits of IPV6 options goop that carries
  Mobile IPV6 binding updates.  It's not *impossible* to use ESP
  for this, but it's awkward.

Quite apart from the AH/ESP debate in Mobile IPV6, there exists a
  rather ugly problem, in that requiring that binding updates
  be protected IPV6 requires deploying IPSEC, complete with
  some kind of large-scale PKI, to protect binding updates between
  random strangers.  From a *practical* perspective, this is a
  non-starter.

There *are* folks who believe that IPSEC is just for VPNs, and in
  fact that's certainly an easy and obvious starting point.  There is
  no necessary relationship between "AH is bad", and "IPSEC is
  only for VPNs".

Follow-Ups:

Re: Death to AH (was Re: SA identification)

From: Michael Thomas <mat@cisco.com>

References:

Re: Death to AH (was Re: SA identification)

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Minutes?
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread