[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: Pekka Nikander <Pekka.Nikander@nomadiclab.com>
Subject: Re: Death to AH (was Re: SA identification)
From: Henry Spencer <henry@spsystems.net>
Date: Fri, 23 Mar 2001 12:33:22 -0500 (EST)
cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <3ABB71EE.BC4DE27A@nomadiclab.com>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 23 Mar 2001, Pekka Nikander wrote:
> ...for me the exact reason for killing AH seems unclear...
> Or am I missing something, and the problem with AH is something
> completely different?

It adds substantial complexity to IPsec -- a set of protocols which is
already too complex (an especially bad thing in a security system) -- for
little or no benefit.  That's the big one. 

The awkward implementation, and the incompatibilities with things like
NAT, are significant but definitely secondary issues.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: Death to AH (was Re: SA identification)

From: Pekka Nikander <Pekka.Nikander@nomadiclab.com>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: SA identification
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread