[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
In your previous mail you wrote:
> 2a: eliminate ESP authentication
> 3a: require AH on all packets. No choice, no null mode. An IPsec
> connection authenticates all packets, period.
Choice 3a was the original intent of the SIPP security architecture (which
became the 182x series of IPsec RFCs)....
The biggest motivator behind AH was to allow an authenticated source route.
Now as Steve Bellovin has pointed out, unless you can configure a hop-by-hop
key, the middle can send that packet anywhere it wants before it reaches the
end.
I wish there were some ISP/ops types on this list (maybe there are and I'm
just being an airhead). I believe the source route header is primarily used
to see what paths are broken in a network - using the process of elimination.
Using AH (or ESP authentication) insures that the packet came from where it
claims to have come from. THAT is why AH was developed, but ESP
authentication can provide a source-routed packet with similar properties.
=> (about the last statement) how? ESP authentication doesn't cover headers.
Regards
Francis.Dupont@enst-bretagne.fr
PS: I am not in favor to reduce IPsec to VPNs, the thing which will happen
if we remove AH then transport mode...
Follow-Ups:
References: