Re: Re[2]: AH (without ESP) on a secure gateway

[Stephen Kent <kent@bbn.com>]

Ran,

	I'll comment on your suggestion that we retain mandatory use of
encryption in ESP.  I feel that AH is an awkward way to provide
authentication for a payload, due to the selective inclusion of IP header
fields.  The computation of the integrity check value will be slower than a
corresponding computation for ESP, because of the selectivity of the
computation.  AH does offer a different function from ESP, even if ESP is
offered in a version that provides integrity and autenticity without
encryption.  ESP, if allowed to be used without encryption, provides a
clean way to integrity protect just encapsulated data, if that is what is
wanted.  I suspect that this latter capability will often be appropriate, a
the recent firewall discussion has shown.

	I agree that the original distinction between AH and ESP was one in
which the encryption vs. integrity/authenticity was the primary motivation.
However, the other major difference is the scope of the protection, with AH
and ESP differing noticeably in that regard as well.  As ESP added more
features, I think it makes more sense to allow for it to be more modular,
and to reserve the use of AH for exactly the circumstances where it's
coverage of the IP header is appropriate.

	The notion of tunnel mode for AH has not been a very strong one in
the documents, though it certainly can be added.  However, I suggest we
consider the better documented tunnel mode notion of ESP, combined with the
new notion of an encryptionless use of ESP, as a candidate for many
instances where one might have used tunneled AH.  Unless the protection of
the "outer" IP header is necessary e.g., to bind a security label to the
outer packet, tunneled AH would appear to offer no advantages relative to
this mode of use of ESP.

Steve