[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: sommerfeld@East.Sun.COM
Subject: Re: Simplifying IKE
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Thu, 09 Aug 2001 12:03:44 +0200
cc: Henry Spencer <henry@spsystems.net>, ipsec@lists.tislabs.com
In-reply-to: Your message of Wed, 08 Aug 2001 14:35:42 EDT. <200108081835.f78IZhJ09105@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   AH or not-AH has nothing to do with VPN or end-to-end IPsec use.
   
=> the sub-thread is more about ESP tunnel mode vs. others.
VPNs don't need AH at all, even you can do AH in tunnel mode this
just adds bits for no benefit. Tunnel mode for end-to-end IPsec
adds bits and removes some properties (cf your next statement).

   As Steve Bellovin has pointed out on numerous occasions, the IP header
   in transport-mode ESP can be "authenticated" merely by doing a compare
   of the source and destination addresses against static state in the
   SA...
   
=> this "authentication" by side effect is mandatory according to RFC
2401 5.2.1 step 2 but:
 - it doesn't work with tunnel mode
 - it covers only the source address, not enough for interesting cases
   like MIPv6 BUs (where both the care-of and the home addresses
(two source addresses) have to be protected).
I believe this is why AH is useful only for IPv6 (IPv4 options are
not used/usable: no need to protect them).

Regards

Francis.Dupont@enst-bretagne.fr

Follow-Ups:

RE: Simplifying IKE

From: "Lars Eggert" <larse@ISI.EDU>

References:

Re: Simplifying IKE

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: Re: Simplifying IKE
Next by Date: RE: (More) immediate changes to help interop problems?
Prev by thread: Re: Simplifying IKE
Next by thread: RE: Simplifying IKE
Index(es):
- Main
- Thread