[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Why can't ESP authenticate IP header?

Lokesh

There are times when one only  needs authentication but not encryption. For
example, routing protocol updates will be authenticated but not encrypted.
Authentication for BGP, for example, would be a **good** thing (tm).

AH fits the bill for this type of application whereas ESP would be overkill.
Also, I am not sure how many ESP implementations include NULL encryption.

Regards

Bora


|-----Original Message-----
|From: lokesh [mailto:lokeshnb@intotoinc.com]
|Sent: Friday, September 21, 2001 6:02 AM
|To: Scheffler, Thomas
|Cc: ipsec@lists.tislabs.com
|Subject: Re: Why can't ESP authenticate IP header?
|
|
|
|----- Original Message -----
|From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>
|To: <lokeshnb@intotoinc.com>; <ipsec@lists.tislabs.com>
|Sent: Friday, September 21, 2001 5:26 PM
|Subject: AW: Why can't ESP authenticate IP header?
|
|
| Hello Thomas,
|>
|> >Can anyone help me to find  answers to following questions
|> >
|> >1. One of the reasons cited in support of AH is that
|> >    it is needed for mobile IP users since, their ip addresses
|> >   change and need Authentication for the source IP address
|> >   that can be done by AH. Here I want to know, why can't
|> >   we make ESP authenticate IP header also? are there any
|> >   other issues involved in this?
|>
|> The ESP authentication does not include the IP-header, which is
|> included in the AH authentication. Also you would need a
|> none-encryption for the ESP-'encryptor' which is discouraged.
|
|I think to you didn't get my question right, I asked why a 
|separate protocol
|AH is designed just to authenticate ip header, when it could 
|have been very
|well done
|using authnetication provided by esp. Also, you said something
|none-encryption (I assume you mean null-encryption)
|is required , I don't understand that point,
|how we need a null encryption if you need to authenticate ip header?
|
|-Lokesh
|
|>
|> >2. Apart from mobile ip user reason, is there any  other
|> >   requirement that needs AH ?
|>
|> Huh, I think the whole IPv6-world depends heavily on IPsec
|> and especially AH to authenticate Router-Advertisements and
|> such.
|> There are not so many IPv6 folks active in the IPsec area,
|> or the other way around, therefore it tends to be forgotten.
|>
|> Cheers,
|> Thomas
|>
|> ********************************************
|>
|> Dipl. Inform. Thomas Scheffler
|>
|> T-Systems Nova GmbH
|> Berkom
|> Berlin, Germany
|>
|> Tel: ++49 (0)30 - 3497 2274
|> Fax: ++49 (0)30 - 3497 2275
|>
|> email: thomas.scheffler@telekom.de
|>
|> #>Custom designed reality is a labour intensive product
|> 
|**********************************************************************
|> This email and any files transmitted with it are confidential and
|> intended solely for the use of the individual or entity to whom they
|> are addressed. If you have received this email in error please notify
|> the system manager.
|>
|
Follow-Ups: