Re: Protocols that refer AH (was: Death to AH)

["Scott Fanning" <sfanning@cisco.com>]

Steve

Just wondering. Of course, the assumption that local policy (via
Certificates) will compensate for any short comings of a protocol might not
necessarily be correct.

Thanks
Scott
----- Original Message -----
From: "Steven M. Bellovin" <smb@research.att.com>
To: "Scott Fanning" <sfanning@cisco.com>
Cc: "Jari Arkko" <jari.arkko@kolumbus.fi>; <sommerfeld@East.Sun.COM>;
"Jun-ichiro itojun Hagino" <itojun@iijlab.net>; "IP Security List"
<ipsec@lists.tislabs.com>
Sent: Monday, March 26, 2001 12:00 PM
Subject: Re: Protocols that refer AH (was: Death to AH)


> In message <012701c0b628$79c1b960$fc2645ab@cisco.com>, "Scott Fanning"
writes:
> >VRRP also talks about AH (<draft-ietf-vrrp-spec-v2-05.txt>), although it
is
> >not integral to the protocol.
> >5.3.6.3 IP Authentication Header.
> >
> >Seeing that AH does authenticate more then ESP (the outside IP Header),
has
> >there been any discussion on making a header that combines ESP and AH? I
> >know that ESP NULL provides just authentication, but not the same
coverage
> >as AH.
>
> To what end?  AH's problems come because it tries to cover too much of
> the packet; changing ESP to do that would cause the same problems.
> Remember that you can often bind the source IP address to the certificate,
> and check that match at decryption time.
>
>
> --Steve Bellovin, http://www.research.att.com/~smb
>
>

---

References:

• Re: Protocols that refer AH (was: Death to AH)
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: RE: Protocols that refer AH (was: Death to AH)
• Next by Date: Re: Death to AH (was Re: SA identification)
• Prev by thread: Re: Protocols that refer AH (was: Death to AH)
• Next by thread: Re: Protocols that refer AH (was: Death to AH)
• Index(es):
  • Main
  • Thread