[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: Death to AH (was Re: SA identification)
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Fri, 23 Mar 2001 15:22:49 -0500
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

There is at least one other reason why AH's authentication of the ip
header is useful..

In the case of multicast SA's, AH's checksum over the IP source
address protects the ip source address from tampering.

There has been interest in and work on using IPsec to protect IPv6
neighbor discovery/router discovery.  

While I'm not certain, I believe that it's necessary to protect the
IPv6 source address to completely protect ND messages.

AH does this; "transport-mode" ESP doesn't.

Using a v6-in-v6 encapsulation ("tunnel mode") for ND would be
tricky/annoying.

						- Bill

Follow-Ups:

Re: Death to AH (was Re: SA identification)

From: daw@mozart.cs.berkeley.edu (David Wagner)

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: RE: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread