[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: Death to AH (was Re: SA identification)
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Fri, 13 Apr 2001 12:42:02 -0400
Cc: Derek Atkins <warlord@mit.edu>, "John Lowry" <jlowry@bbn.com>, "Kopeikin, Roy A (Roy)" <rkopeikin@lucent.com>, "Stephen Kent" <kent@bbn.com>, "Peter Ford" <peterf@Exchange.Microsoft.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <200104131628.ABY04112@mira-sjcm-3.cisco.com>, Scott Fluhrer writes:
>At 07:52 AM 4/13/01 , Steven M. Bellovin wrote:
>>In message <sjmy9t4khhm.fsf@rcn.ihtfp.org>, Derek Atkins writes:
>>>So does ESP with Authentication and NULL-encryption.
>>
>>Yes, but it's not context-free -- unless you know a priori that null 
>>encryption is being used, you can't monitor it.
>>
>>This is the one point I'll concede to the AH proponents...
>
>Actually, I wouldn't concede quite so quickly.  AH is not context-free
>either -- unless you know a priori that the packet AH is protecting is
>not itself encrypted (e.g. ESP is not being used along with AH), you
>can't monitor it either.

There's a Next Protocol field in the AH header that you can look at.


		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:

Re: Death to AH (was Re: SA identification)

From: Scott Fluhrer <sfluhrer@cisco.com>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread