Re: AH (without ESP) on a secure gateway

Steven Bellovin <smb@research.att.com> Wed, 04 December 1996 04:57 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id XAA25468 for ipsec-outgoing; Tue, 3 Dec 1996 23:57:34 -0500 (EST)
Message-Id: <199612040458.XAA18260@raptor.research.att.com>
To: Stephen Kent <kent@bbn.com>
cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
Date: Tue, 03 Dec 1996 23:58:30 -0500
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

	You mention early in your message the key issue, which is the
	focus of this debate.  I maintained that it makes sense to use
	AH between a pair of firewalls ONLY if the header is applied to
	a tunneled SA.  Once we agree on that, the rest ought to be
	easy.  The disagreement has been on whether it is appropriate
	to have two (or more) instances of AH without an intervening IP
	header.  We have seen several messages now arguing why this is
	not an appropriate header sequence, including your message to
	which I am responding.  So, I don't disagree with the examples
	you cited.

It's very clear to me that firewall-to-firewall IPSEC -- whether it's
ESP or AH -- should be done *only* in tunnel mode.  To do otherwise
is inviting trouble.  In fact, I had thought that was what was done --
no other possibility had occurred to me.

There's a second issue that has come up here -- how does one know which
the right firewall is?  This is one of the points I raised at the last
IETF meeting; in my opinion, it's very closely related to the naming
issue and the certificate issue, and we haven't really tackled either
of those.  (See ftp://ftp.research.att.com/dist/smb/ipsec-cert.ps for
the (few) slides I used.)