[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocols that refer AH (was: Death to AH)

To: "Scott Fanning" <sfanning@cisco.com>
Subject: Re: Protocols that refer AH (was: Death to AH)
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Mon, 26 Mar 2001 15:00:03 -0500
Cc: "Jari Arkko" <jari.arkko@kolumbus.fi>, sommerfeld@East.Sun.COM, "Jun-ichiro itojun Hagino" <itojun@iijlab.net>, "IP Security List" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

In message <012701c0b628$79c1b960$fc2645ab@cisco.com>, "Scott Fanning" writes:
>VRRP also talks about AH (<draft-ietf-vrrp-spec-v2-05.txt>), although it is
>not integral to the protocol.
>5.3.6.3 IP Authentication Header.
>
>Seeing that AH does authenticate more then ESP (the outside IP Header), has
>there been any discussion on making a header that combines ESP and AH? I
>know that ESP NULL provides just authentication, but not the same coverage
>as AH.

To what end?  AH's problems come because it tries to cover too much of 
the packet; changing ESP to do that would cause the same problems.  
Remember that you can often bind the source IP address to the certificate,
and check that match at decryption time.

		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:

RE: Protocols that refer AH (was: Death to AH)

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Re: Protocols that refer AH (was: Death to AH)

From: "Scott Fanning" <sfanning@cisco.com>

Re: Protocols that refer AH (was: Death to AH)

From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

Prev by Date: Re: Protocols that refer AH (was: Death to AH)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Protocols that refer AH (was: Death to AH)
Next by thread: RE: Protocols that refer AH (was: Death to AH)
Index(es):
- Main
- Thread