Re: Death to AH (was Re: SA identification)

[FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>]

Henry Spencer wrote:
> (Note, for example, IESG's recently-expressed doubts about
> whether the authentication requirements of Binding Updates can really be
> met using AH.)


I have read it as a doubt to the use of IPSec in general, rather than
AH alone...  Was I wrong?

Excerpt from mobile-ip mailing list:
>>The IESG has concerns about the draft's dependency on IPSEC AH to
>>authenticate Binding Updates. There are several issues here.
>>
>>   a) There is significant overhead associated with building and
>>      maintaining AH/IPsec SAs (both in terms of state that needs to
>>      be maintained, but also in terms of required message flows, and
>>      the processing required to implement those flows).

This is about building and maintaining SA, especially the overhead of
ISAKMP/IKE, not specifically about AH.


>>   b) The processing rules for authenticating a Binding Update with AH
>>      are complex and are apparently not readily supported by the
>>      current generation of IPsec/IKE implementations (e.g., the IPsec
>>      policies are needed that specify sufficient granularity about
>>      IPv6 packets containing binding updates).

I thought this isn't specific to AH, either.


					FUKUMOTO Atsushi
					fukumoto@isl.rdc.toshiba.co.jp

---

Follow-Ups:

• Re: Death to AH (was Re: SA identification)
• From: Henry Spencer <henry@spsystems.net>
• Re: Death to AH (was Re: SA identification)
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:

• Re: Death to AH (was Re: SA identification)
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Minutes?
• Next by Date: Re: Death to AH (was Re: SA identification)
• Prev by thread: Re: Death to AH (was Re: SA identification)
• Next by thread: Re: Death to AH (was Re: SA identification)
• Index(es):
  • Main
  • Thread