[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Protocols that refer AH (was: Death to AH)
I think there is a definite problem in education wrt AH.
Just from hearing a capsule description of ESP and AH, most people seem to
think that AH is necessary. It takes quite a lot of explaining in order to
help them understand the issues.
Michael asked "why do VPN vendors implement AH?" The answer is because it is
perceived to be necessary. Various literature on deploying VPNs talks about
it. If we don't have AH then our solution may fail the "checkbox test."
A lot of people who are using ipsec for routing seem to think that adding a
MAC to the packet is sufficient to authenticate the header. They don't
understand that intermediate routers have to check the header in order for
this to be useful. However, I suppose that this does add the possibility for
"opportunistic authentication" if some of the intermediate routers have the
keys and others don't.
I think the most likely use of AH would be within a carrier's network to
prevent bandwidth stealing. But I also have trouble constructing a scenario
that actually seems plausible. If a carrier network is monolithic, such that
traffic never leaves the network only to return later, then this doesn't
seem like a very big problem.
Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.
Follow-Ups:
References: