[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Simplifying IKE
Francis,
There are "ISP/ops" types on this list. I do not know of anyone using AH
for securing source-routed packets being used for debugging. In fact I know
of very few people using AH for *anything*. I have forwarded the question
to the NANOG (North American Network Operators Group). I will summarize
replies and forward to the IPSEC mailing list. Also, I think that keeping
transport mode is important. One common VPN application for transport mode
is securing IP in IP tunnels (see draft-touch-ipsec-vpn-01.txt).
Mike Horn
> -----Original Message-----
> From: Francis Dupont [mailto:Francis.Dupont@enst-bretagne.fr]
> Sent: Wednesday, August 08, 2001 6:48 AM
> To: Dan McDonald
> Cc: Sandy Harris; ipsec@lists.tislabs.com
> Subject: Re: Simplifying IKE
>
>
> In your previous mail you wrote:
>
> > 2a: eliminate ESP authentication
> > 3a: require AH on all packets. No choice, no null mode. An IPsec
> > connection authenticates all packets, period.
>
> Choice 3a was the original intent of the SIPP security
> architecture (which
> became the 182x series of IPsec RFCs)....
>
> The biggest motivator behind AH was to allow an
> authenticated source route.
> Now as Steve Bellovin has pointed out, unless you can
> configure a hop-by-hop
> key, the middle can send that packet anywhere it wants
> before it reaches the
> end.
>
> I wish there were some ISP/ops types on this list (maybe
> there are and I'm
> just being an airhead). I believe the source route header
> is primarily used
> to see what paths are broken in a network - using the
> process of elimination.
> Using AH (or ESP authentication) insures that the packet
> came from where it
> claims to have come from. THAT is why AH was developed, but ESP
> authentication can provide a source-routed packet with
> similar properties.
>
> => (about the last statement) how? ESP authentication doesn't
> cover headers.
>
> Regards
>
> Francis.Dupont@enst-bretagne.fr
>
> PS: I am not in favor to reduce IPsec to VPNs, the thing
> which will happen
> if we remove AH then transport mode...
>
Follow-Ups: