[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE



Francis,

There are "ISP/ops" types on this list.  I do not know of anyone using AH
for securing source-routed packets being used for debugging.  In fact I know
of very few people using AH for *anything*.  I have forwarded the question
to the NANOG (North American Network Operators Group).  I will summarize
replies and forward to the IPSEC mailing list.  Also, I think that keeping
transport mode is important.  One common VPN application for transport mode
is securing IP in IP tunnels (see draft-touch-ipsec-vpn-01.txt).

Mike Horn

 > -----Original Message-----
 > From: Francis Dupont [mailto:Francis.Dupont@enst-bretagne.fr]
 > Sent: Wednesday, August 08, 2001 6:48 AM
 > To: Dan McDonald
 > Cc: Sandy Harris; ipsec@lists.tislabs.com
 > Subject: Re: Simplifying IKE 
 > 
 > 
 >  In your previous mail you wrote:
 > 
 >    > 2a: eliminate ESP authentication
 >    > 3a: require AH on all packets. No choice, no null mode. An IPsec
 >    >     connection authenticates all packets, period.
 >    
 >    Choice 3a was the original intent of the SIPP security 
 > architecture (which
 >    became the 182x series of IPsec RFCs)....
 >    
 >    The biggest motivator behind AH was to allow an 
 > authenticated source route.
 >    Now as Steve Bellovin has pointed out, unless you can 
 > configure a hop-by-hop
 >    key, the middle can send that packet anywhere it wants 
 > before it reaches the
 >    end.
 >    
 >    I wish there were some ISP/ops types on this list (maybe 
 > there are and I'm
 >    just being an airhead).  I believe the source route header 
 > is primarily used
 >    to see what paths are broken in a network - using the 
 > process of elimination.
 >    Using AH (or ESP authentication) insures that the packet 
 > came from where it
 >    claims to have come from.  THAT is why AH was developed, but ESP
 >    authentication can provide a source-routed packet with 
 > similar properties.
 >    
 > => (about the last statement) how? ESP authentication doesn't 
 > cover headers.
 > 
 > Regards
 > 
 > Francis.Dupont@enst-bretagne.fr
 > 
 > PS: I am not in favor to reduce IPsec to VPNs, the thing 
 > which will happen
 > if we remove AH then transport mode...
 > 



Follow-Ups: