[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
Henry Spencer wrote:
> (Note, for example, IESG's recently-expressed doubts about
> whether the authentication requirements of Binding Updates can really be
> met using AH.)
I have read it as a doubt to the use of IPSec in general, rather than
AH alone... Was I wrong?
Excerpt from mobile-ip mailing list:
>>The IESG has concerns about the draft's dependency on IPSEC AH to
>>authenticate Binding Updates. There are several issues here.
>>
>> a) There is significant overhead associated with building and
>> maintaining AH/IPsec SAs (both in terms of state that needs to
>> be maintained, but also in terms of required message flows, and
>> the processing required to implement those flows).
This is about building and maintaining SA, especially the overhead of
ISAKMP/IKE, not specifically about AH.
>> b) The processing rules for authenticating a Binding Update with AH
>> are complex and are apparently not readily supported by the
>> current generation of IPsec/IKE implementations (e.g., the IPsec
>> policies are needed that specify sufficient granularity about
>> IPv6 packets containing binding updates).
I thought this isn't specific to AH, either.
FUKUMOTO Atsushi
fukumoto@isl.rdc.toshiba.co.jp
Follow-Ups:
References: