[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>
Subject: Re: Why can't ESP authenticate IP header?
From: "lokesh" <lokeshnb@intotoinc.com>
Date: Fri, 21 Sep 2001 18:31:49 +0530
Cc: <ipsec@lists.tislabs.com>
References: <73D3E97F639DD5119642000347055F0581620B@G9JNS.mgb01.telekom.de>
Reply-To: "lokesh" <lokeshnb@intotoinc.com>
Sender: owner-ipsec@lists.tislabs.com


----- Original Message -----
From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>
To: <lokeshnb@intotoinc.com>; <ipsec@lists.tislabs.com>
Sent: Friday, September 21, 2001 5:26 PM
Subject: AW: Why can't ESP authenticate IP header?


 Hello Thomas,
>
> >Can anyone help me to find  answers to following questions
> >
> >1. One of the reasons cited in support of AH is that
> >    it is needed for mobile IP users since, their ip addresses
> >   change and need Authentication for the source IP address
> >   that can be done by AH. Here I want to know, why can't
> >   we make ESP authenticate IP header also? are there any
> >   other issues involved in this?
>
> The ESP authentication does not include the IP-header, which is
> included in the AH authentication. Also you would need a
> none-encryption for the ESP-'encryptor' which is discouraged.

I think to you didn't get my question right, I asked why a separate protocol
AH is designed just to authenticate ip header, when it could have been very
well done
using authnetication provided by esp. Also, you said something
none-encryption (I assume you mean null-encryption)
is required , I don't understand that point,
how we need a null encryption if you need to authenticate ip header?

-Lokesh

>
> >2. Apart from mobile ip user reason, is there any  other
> >   requirement that needs AH ?
>
> Huh, I think the whole IPv6-world depends heavily on IPsec
> and especially AH to authenticate Router-Advertisements and
> such.
> There are not so many IPv6 folks active in the IPsec area,
> or the other way around, therefore it tends to be forgotten.
>
> Cheers,
> Thomas
>
> ********************************************
>
> Dipl. Inform. Thomas Scheffler
>
> T-Systems Nova GmbH
> Berkom
> Berlin, Germany
>
> Tel: ++49 (0)30 - 3497 2274
> Fax: ++49 (0)30 - 3497 2275
>
> email: thomas.scheffler@telekom.de
>
> #>Custom designed reality is a labour intensive product
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>

Follow-Ups:

Re: Why can't ESP authenticate IP header?

From: Stephen Kent <kent@bbn.com>

References:

AW: Why can't ESP authenticate IP header?

From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>

Prev by Date: Re: How many spd recrds ?
Next by Date: Re: How many spd recrds ?
Prev by thread: AW: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread