[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Why can't ESP authenticate IP header?

To: <ipsec@lists.tislabs.com>
Subject: RE: Why can't ESP authenticate IP header?
From: "Christopher Gripp" <cgripp@axcelerant.com>
Date: Fri, 21 Sep 2001 10:09:29 -0700
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcFCrT8zjMgWU7GwRWGay9IKgf3hWgAEh5SQ
Thread-Topic: Why can't ESP authenticate IP header?

Each protocol was designed with a different intention in mind.  You can
think of them as complementary in a way, although in my experience, the
majority of today's remote access IPSec VPNs incorporate only ESP.
Mostly due to the vast number of NAT'd networks being used.

 

Christopher Gripp 
Systems Engineer 
Axcelerant 



-----Original Message-----
From: lokesh [mailto:lokeshnb@intotoinc.com]
Sent: Friday, September 21, 2001 6:02 AM
To: Scheffler, Thomas
Cc: ipsec@lists.tislabs.com
Subject: Re: Why can't ESP authenticate IP header?



----- Original Message -----
From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>
To: <lokeshnb@intotoinc.com>; <ipsec@lists.tislabs.com>
Sent: Friday, September 21, 2001 5:26 PM
Subject: AW: Why can't ESP authenticate IP header?


 Hello Thomas,
>
> >Can anyone help me to find  answers to following questions
> >
> >1. One of the reasons cited in support of AH is that
> >    it is needed for mobile IP users since, their ip addresses
> >   change and need Authentication for the source IP address
> >   that can be done by AH. Here I want to know, why can't
> >   we make ESP authenticate IP header also? are there any
> >   other issues involved in this?
>
> The ESP authentication does not include the IP-header, which is
> included in the AH authentication. Also you would need a
> none-encryption for the ESP-'encryptor' which is discouraged.

I think to you didn't get my question right, I asked why a separate
protocol
AH is designed just to authenticate ip header, when it could have been
very
well done
using authnetication provided by esp. Also, you said something
none-encryption (I assume you mean null-encryption)
is required , I don't understand that point,
how we need a null encryption if you need to authenticate ip header?

-Lokesh

>
> >2. Apart from mobile ip user reason, is there any  other
> >   requirement that needs AH ?
>
> Huh, I think the whole IPv6-world depends heavily on IPsec
> and especially AH to authenticate Router-Advertisements and
> such.
> There are not so many IPv6 folks active in the IPsec area,
> or the other way around, therefore it tends to be forgotten.
>
> Cheers,
> Thomas
>
> ********************************************
>
> Dipl. Inform. Thomas Scheffler
>
> T-Systems Nova GmbH
> Berkom
> Berlin, Germany
>
> Tel: ++49 (0)30 - 3497 2274
> Fax: ++49 (0)30 - 3497 2275
>
> email: thomas.scheffler@telekom.de
>
> #>Custom designed reality is a labour intensive product
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>

Prev by Date: RE: Why can't ESP authenticate IP header?
Next by Date: RE: Why can't ESP authenticate IP header?
Prev by thread: RE: Why can't ESP authenticate IP header?
Next by thread: RE: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread