[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
Title: Re: Why can't ESP authenticate IP
header?
----- Original Message -----
From: "Scheffler, Thomas"
<Thomas.Scheffler@t-systems.de>
To: <lokeshnb@intotoinc.com>;
<ipsec@lists.tislabs.com>
Sent: Friday, September 21, 2001 5:26 PM
Subject: AW: Why can't ESP authenticate IP header?
Hello Thomas,
>
> >Can anyone help me to find answers to following
questions
> >
> >1. One of the reasons cited in support of AH is that
> > it is needed for mobile IP users since,
their ip addresses
> > change and need Authentication for the source IP
address
> > that can be done by AH. Here I want to know, why
can't
> > we make ESP authenticate IP header also? are
there any
> > other issues involved in this?
>
> The ESP authentication does not include the IP-header, which
is
> included in the AH authentication. Also you would need a
> none-encryption for the ESP-'encryptor' which is discouraged.
I think to you didn't get my question right, I asked why a separate
protocol
AH is designed just to authenticate ip header, when it could have been
very
well done
using authnetication provided by esp. Also, you said something
none-encryption (I assume you mean null-encryption)
is required , I don't understand that point,
how we need a null encryption if you need
to authenticate ip header?
Lokesh,
ESP can be used to provide authentication for its payload,
without encrypting the payload. This is referred to as ESP with
NULL encryption, for reasons having to do with how IKE works. If
the payload for ESP is an IP packet, i.e., ESP in tunnel mode, then
the effect is much like AH, but is much more efficient
computationally, because there is no need to jump around the IP header
protecting only selected fields.
Redesigning ESP to optionally cover selected parts of the IP
header, in transport mode, as AH does, would make it a more complex
protocol, as a time when simplicity is revered. Making ESP
always cover parts of the IP header would cause problems in many
instances, although it would make for a simpler protocol than one in
which the coverage was optional. Having a separate protocol, AH,
is simpler if not everyone has to use it, which is the way we may be
heading now.
Steve
Follow-Ups:
References: