Re: AH (without ESP) on a secure gateway

Stephen Kent <kent@bbn.com> Tue, 03 December 1996 03:22 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id WAA23133 for ipsec-outgoing; Mon, 2 Dec 1996 22:22:58 -0500 (EST)
X-Sender: kent@po1.bbn.com (Unverified)
Message-Id: <v03007803aec93efaf8f9@[128.33.229.245]>
In-Reply-To: <199612021501.KAA18888@earth.hpc.org>
References: Yourmessage <199612021214.FAA13018@baskerville.CS.Arizona.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 02 Dec 1996 21:25:04 -0500
To: ho@earth.hpc.org
From: Stephen Kent <kent@bbn.com>
Subject: Re: AH (without ESP) on a secure gateway
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Hilarie,

	Another thought on multiple instances of AH in a single packet.  In
the current spec, the inclusion of another header would violate the
positioning requirement, which calls for AH (as an option in IPv4) to come
directly after the IP header.  The "second" AH option would not be directly
after the header; it would be after the first AH option. Hence I had never
envision multiple AH options/payloads as being compliant.   Also, note that
the computation of the AH integrity check value is complicated by the need
to consider some header fields as zero during the computation.  The ESP
computation, in a tunnel mode context, would be simplier and faster, making
it more attractive for a firewall.

Steve