[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protocols that refer AH (was: Death to AH)
In message <012701c0b628$79c1b960$fc2645ab@cisco.com>, "Scott Fanning" writes:
>VRRP also talks about AH (<draft-ietf-vrrp-spec-v2-05.txt>), although it is
>not integral to the protocol.
>5.3.6.3 IP Authentication Header.
>
>Seeing that AH does authenticate more then ESP (the outside IP Header), has
>there been any discussion on making a header that combines ESP and AH? I
>know that ESP NULL provides just authentication, but not the same coverage
>as AH.
To what end? AH's problems come because it tries to cover too much of
the packet; changing ESP to do that would cause the same problems.
Remember that you can often bind the source IP address to the certificate,
and check that match at decryption time.
--Steve Bellovin, http://www.research.att.com/~smb
Follow-Ups: