Re: Re[2]: AH (without ESP) on a secure gateway
Dan Frommer <dan@radguard.com> Thu, 05 December 1996 06:46 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id BAA28123 for ipsec-outgoing; Thu, 5 Dec 1996 01:46:47 -0500 (EST)
Date: Thu, 05 Dec 1996 08:42:30 +0200
From: Dan Frommer <dan@radguard.com>
To: Ran Atkinson <rja@cisco.com>
Cc: ipsec@tis.com, rja@cisco.com
Subject: Re: Re[2]: AH (without ESP) on a secure gateway
In-Reply-To: <199612041911.LAA02222@cornpuffs.cisco.com>
Message-Id: <Pine.SUN.3.91.961205081507.26759B-100000@elgamal.radguard.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
On Wed, 4 Dec 1996, Ran Atkinson wrote: > I believe that ESP should continue to always imply that encryption is > in use. The presence/absence of encryption is the primary reason that AH is > separate from ESP. Were it not for the political realities of regulation of > encryption in various locales, AH and ESP would not have been separate > protocols in the first place. I am aware of cases where in practice more than > one government regulatory authority has been persuaded to handle AH export/use > licensing with significantly less hassle BECAUSE the AH spec does not support > encryption. > > I am aware that many implementers of AH have in fact implemented a > "tunnel-mode AH" (which looks like this: [ip:r1->r2][ah][ip:h1->h2][ulp], > where r1,r2 are security gateways and h1,h2 are end nodes). I believe that > the best approach is to simply add a definition of this tunnel-mode AH into > the AH base specification. This also has the virtue of having the least > amount of negative impact on interoperability of existing AH implementations. > > Comments ? > > Ran > rja@cisco.com > AH in tunnel mode is required for the above case as well as the case of a host that implements AH (h1) talking via a gateway (r2) to a host behind the gateway (h2). In this case the headers would look like this: [ip:h1->r2][ah][ip:h1->h2][ulp]. Such a mode is indeed required and would ease exportability issues. Dan Frommer dan@radguard.com
- AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway pau
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway William Allen Simpson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway David P. Kemp
- Re: Re[2]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: AH (without ESP) on a secure gateway Hilarie Orman
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[2]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[4]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Karl Fox
- Re[5]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: Re[5]: AH (without ESP) on a secure gateway Bob Monsour
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Perry E. Metzger
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Ran Atkinson
- Re: Re[5]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re: Re[2]: AH (without ESP) on a secure gateway Uri Blumenthal
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: Re[2]: AH (without ESP) on a secure gateway Naganand Doraswamy
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[2]: AH (without ESP) on a secure gateway Dan Frommer