Re: Simplifying IKE

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   > 2a: eliminate ESP authentication
   > 3a: require AH on all packets. No choice, no null mode. An IPsec
   >     connection authenticates all packets, period.
   
   Choice 3a was the original intent of the SIPP security architecture (which
   became the 182x series of IPsec RFCs)....
   
   The biggest motivator behind AH was to allow an authenticated source route.
   Now as Steve Bellovin has pointed out, unless you can configure a hop-by-hop
   key, the middle can send that packet anywhere it wants before it reaches the
   end.
   
   I wish there were some ISP/ops types on this list (maybe there are and I'm
   just being an airhead).  I believe the source route header is primarily used
   to see what paths are broken in a network - using the process of elimination.
   Using AH (or ESP authentication) insures that the packet came from where it
   claims to have come from.  THAT is why AH was developed, but ESP
   authentication can provide a source-routed packet with similar properties.
   
=> (about the last statement) how? ESP authentication doesn't cover headers.

Regards

Francis.Dupont@enst-bretagne.fr

PS: I am not in favor to reduce IPsec to VPNs, the thing which will happen
if we remove AH then transport mode...

---

Follow-Ups:

• Re: Simplifying IKE
• From: Michael Thomas <mat@cisco.com>
• Re: Simplifying IKE
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: Simplifying IKE
• From: Dan McDonald <danmcd@East.Sun.COM>

---

• Prev by Date: Re: (More) immediate changes to help interop problems?
• Next by Date: Re: Simplifying IKE
• Prev by thread: Scope for the new keying protocol [Was: Simplifying IKE]
• Next by thread: Re: Simplifying IKE
• Index(es):
  • Main
  • Thread