Re: Re[2]: AH (without ESP) on a secure gateway

Dan Frommer <dan@radguard.com> Thu, 05 December 1996 06:46 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id BAA28123 for ipsec-outgoing; Thu, 5 Dec 1996 01:46:47 -0500 (EST)
Date: Thu, 05 Dec 1996 08:42:30 +0200
From: Dan Frommer <dan@radguard.com>
To: Ran Atkinson <rja@cisco.com>
Cc: ipsec@tis.com, rja@cisco.com
Subject: Re: Re[2]: AH (without ESP) on a secure gateway
In-Reply-To: <199612041911.LAA02222@cornpuffs.cisco.com>
Message-Id: <Pine.SUN.3.91.961205081507.26759B-100000@elgamal.radguard.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

On Wed, 4 Dec 1996, Ran Atkinson wrote:

> 	I believe that ESP should continue to always imply that encryption is
> in use.  The presence/absence of encryption is the primary reason that AH is
> separate from ESP.  Were it not for the political realities of regulation of
> encryption in various locales, AH and ESP would not have been separate
> protocols in the first place.  I am aware of cases where in practice more than
> one government regulatory authority has been persuaded to handle AH export/use
> licensing with significantly less hassle BECAUSE the AH spec does not support
> encryption.
> 
> 	I am aware that many implementers of AH have in fact implemented a
> "tunnel-mode AH" (which looks like this: [ip:r1->r2][ah][ip:h1->h2][ulp],
> where r1,r2 are security gateways and h1,h2 are end nodes).  I believe that
> the best approach is to simply add a definition of this tunnel-mode AH into
> the AH base specification.  This also has the virtue of having the least
> amount of negative impact on interoperability of existing AH implementations.
> 
> Comments ?
> 
> Ran
> rja@cisco.com
> 

AH in tunnel mode is required for the above case as well as the case of
a host that implements AH (h1) talking via a gateway (r2) to a host 
behind the gateway (h2). In this case the headers would look like this: 

[ip:h1->r2][ah][ip:h1->h2][ulp]. 

Such a mode is indeed required and would ease exportability issues.

Dan Frommer
dan@radguard.com