[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
Based on discussion with some people, I'd like to ask a simple
question. I know, most of this has been discussed to death before,
but for me the exact reason for killing AH seems unclear. If you
don't want to clutter the list, feel free to send your reply to me
and I'll try to summarize whatever I receive.
Thus, which do you consider a bigger problem in AH,
a) the fact that AH protects the IP addresses, which make it impossible
to change the addresses on the fly, or
b) the fact that AH attempts to protect all of "immutable" fields in
the IP address, and actually deciding which fields are immutable
and which are not is not that easy, or
c) doing AH right is just hard because all that hassle with mutable
vs. immutable fields in the header?
That is, is it that wrt NAT the IP address fields are not immutable
anymore, and therefore protecting them with AH seems not that productive.
Or is it that there are also other fields that are considered immutable
by the AH spec but are not. Or is it that doing AH right is just
so complex because you have to parse the header and zero some fields etc?
(I don't see any reason for protecting the addresses since if you are
doing end-to-end ipsec, protecting the addresses is (almost) pointless,
and if you are not doing end-to-end and want to rely on addresses,
you most probably want to do tunneling anyway).
Or am I missing something, and the problem with AH is something
completely different?
--Pekka
Follow-Ups:
References: