[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Require AH?
Dropping AH has been suggested from time to time. The proposal seems to get
considerable support, but also some opposition. I'm not entirely clear on reasons
for the opposition, but it seems to revolve around things like mobile IP that
may need header authentication and arguably don't always need encryption.
Currently we have three binary choices. Use AH, use ESP authentication, use
ESP encryption. This gives us 8 possibilities:
use none, just do normal IP
two with duplicate authentication in both AH and ESP
(with or without encryption)
two ways to do authentication alone
(AH or ESP-null)
two ways to do encryption + authentication
(AH or ESP authentication)
one way to encrypt without authentication
(ESP with no authentication)
The last is a very bad idea and implementations should prohibit it, but
I think the current protocol definition allows it.
The various lines starting "two ..." all indicate unecessary complications:
more options for IKE to negotiate, more combinations to implement and test,
more things for the SADB to track.
If we dump AH, we get rid of half the options and are left with:
use none, just do normal IP
one way to do authentication alone, ESP-null
one way to do encryption + authentication, ESP
one way to encrypt without authentication
(ESP with no authentication)
The last alternative is unchanged and still a bad idea. We could get rid of
by requiring that ESP always authenticate.
An alternative would be to require AH on all IPsec connections, giving:
use none, just do normal IP
one way to do authentication alone, AH
one way to do encryption + authentication, AH + ESP
This gets rid of that nasty fourth alternative, keeps AH for those that
need it, and lets us drop ESP-null.
If AH is actually needed, which some people have claimed in previous
discussions, then the last strikes me as the best choice.
Of course, this was likely discussed back before authentication was
added to ESP. Why was it rejected then?
Follow-Ups: