nanog mailing list archives
Re: Does anybody out there use Authentication Header (AH)?
From: Jack Kohn <kohn.jack () gmail com>
Date: Wed, 4 Jan 2012 21:25:49 +0530
Tom, It seems NIST recommends ESP over AH. You can look at the following 2 emails from Manav and Sriram on the IPsecME WG: http://www.ietf.org/mail-archive/web/ipsec/current/msg07403.html http://www.ietf.org/mail-archive/web/ipsec/current/msg07407.html Jack On Mon, Jan 2, 2012 at 5:57 AM, TR Shaw <tshaw () oitc com> wrote:
On Jan 1, 2012, at 7:12 PM, John Smith wrote:Hi, I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? Regards, JohnAH provides for connectionless integrity and data origin authentication and provides protection against replay attacks. Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. If you are following NIST or DCID-63, this is required to meet certain integrity requirements ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality. EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. There are reasons for both. Tom
Current thread:
- Does anybody out there use Authentication Header (AH)? John Smith (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? TR Shaw (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? John Smith (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? TR Shaw (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Steven Bellovin (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Jack Kohn (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Steven Bellovin (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? TR Shaw (Jan 02)
- Re: Does anybody out there use Authentication Header (AH)? John Smith (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? TR Shaw (Jan 01)
- <Possible follow-ups>
- Re: Does anybody out there use Authentication Header (AH)? David Barak (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Chuck Anderson (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Glen Kent (Jan 01)
- Re: Does anybody out there use Authentication Header (AH)? Chuck Anderson (Jan 01)