[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "lokesh" <lokeshnb@intotoinc.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Stephen Kent <kent@bbn.com>
Date: Fri, 21 Sep 2001 16:47:40 -0400
Cc: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>, <ipsec@lists.tislabs.com>
In-Reply-To: <005701c1429d$97f81080$ae0510ac@roc.com>
References: <73D3E97F639DD5119642000347055F0581620B@G9JNS.mgb01.telekom.de><005701c1429d$97f81080$ae0510ac@roc.com>
Sender: owner-ipsec@lists.tislabs.com

Title: Re: Why can't ESP authenticate IP header?

----- Original Message -----
From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>
To: <lokeshnb@intotoinc.com>; <ipsec@lists.tislabs.com>
Sent: Friday, September 21, 2001 5:26 PM
Subject: AW: Why can't ESP authenticate IP header?

Hello Thomas,
>
> >Can anyone help me to find answers to following questions
> >
> >1. One of the reasons cited in support of AH is that
> >    it is needed for mobile IP users since, their ip addresses
> >   change and need Authentication for the source IP address
> >   that can be done by AH. Here I want to know, why can't
> >   we make ESP authenticate IP header also? are there any
> >   other issues involved in this?
>
> The ESP authentication does not include the IP-header, which is
> included in the AH authentication. Also you would need a
> none-encryption for the ESP-'encryptor' which is discouraged.

I think to you didn't get my question right, I asked why a separate protocol
AH is designed just to authenticate ip header, when it could have been very
well done
using authnetication provided by esp. Also, you said something
none-encryption (I assume you mean null-encryption)
is required , I don't understand that point,

how we need a null encryption if you need to authenticate ip header?

Lokesh,

ESP can be used to provide authentication for its payload, without encrypting the payload. This is referred to as ESP with NULL encryption, for reasons having to do with how IKE works. If the payload for ESP is an IP packet, i.e., ESP in tunnel mode, then the effect is much like AH, but is much more efficient computationally, because there is no need to jump around the IP header protecting only selected fields.

Redesigning ESP to optionally cover selected parts of the IP header, in transport mode, as AH does, would make it a more complex protocol, as a time when simplicity is revered. Making ESP always cover parts of the IP header would cause problems in many instances, although it would make for a simpler protocol than one in which the coverage was optional. Having a separate protocol, AH, is simpler if not everyone has to use it, which is the way we may be heading now.

Steve

Follow-Ups:

Re: Why can't ESP authenticate IP header?

From: "lokesh" <lokeshnb@intotoinc.com>

References:

AW: Why can't ESP authenticate IP header?

From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>

Re: Why can't ESP authenticate IP header?

From: "lokesh" <lokeshnb@intotoinc.com>

Prev by Date: RE: Why can't ESP authenticate IP header?
Next by Date: RE: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread