[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Subject: Re: Death to AH (was Re: SA identification)
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Fri, 23 Mar 2001 15:08:11 -0500
cc: Henry Spencer <henry@spsystems.net>, IP Security List <ipsec@lists.tislabs.com>
In-reply-to: Your message of "Fri, 23 Mar 2001 10:14:47 +0900." <20010323011447.48AD97E75@starfruit.itojun.org>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> 	so i guess "death to AH" and "ipsec is for VPN only" are
>	related.

As others have pointed out, this relationship is weak at best.

In particular, any IPsec implementation should include policy checks
after ESP decapsulation which not only verify that the IP headers
haven't been tampered during transit, but also that they were correct
to begin with..

> 	it is correct that there are certain extension headers that does not
> 	need protection, however, there are certain application that needs
> 	AH (especially with transport mode).  as increasing number of protocol
> 	documents are relying upon the existence of ESP and AH (like most of
> 	IPv6 routing protocols) 

Could you give pointers?  (i don't follow the routing area closely).

> i believe we need AH definitely.

I think we need a "this is how to use ipsec to protect your
protocol"/"this is what ipsec provides to upper-layer protocols"
document...

					- Bill

Follow-Ups:

Re: Death to AH (was Re: SA identification)

From: Jun-ichiro itojun Hagino <itojun@iijlab.net>

References:

Re: Death to AH (was Re: SA identification)

From: Jun-ichiro itojun Hagino <itojun@iijlab.net>

Prev by Date: Re: SA identification
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread