[148063] in North American Network Operators' Group
Re: Does anybody out there use Authentication Header (AH)?
daemon@ATHENA.MIT.EDU (TR Shaw)
Sun Jan 1 19:28:27 2012
From: TR Shaw <tshaw@oitc.com>
In-Reply-To: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com>
Date: Sun, 1 Jan 2012 19:27:27 -0500
To: John Smith <jsmith4112003@yahoo.co.uk>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 1, 2012, at 7:12 PM, John Smith wrote:
> Hi,
>=20
> I am trying to see if there are people who use AH specially since RFC =
4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not =
care about a MAY or a MUST in an RFC, but the IETF protocols and vendors =
do. So all protocols that require IPsec for authentication implicitly =
have a MAY for AH and a MUST for ESP-NULL.
>=20
> Given that there is hardly a difference between the two, I am trying =
to understand the scenarios where people might want to use AH? OR is it =
that people dont care and just use what their vendors provide them?
>=20
> Regards,
> John
AH provides for connectionless integrity and data origin authentication =
and provides protection against replay attacks. Many US Gov departments =
that have to follow NIST and do not understand what this means require =
it between internal point-to-point routers between one portion of their =
organization and another adding more expense for no increase in =
operational security.
If you are following NIST or DCID-63, this is required to meet certain =
integrity requirements
ESP provides confidentiality, data origin authentication, =
connectionless integrity, an anti-replay service, and limited traffic =
flow confidentiality. EG AH portion provides for the integrity =
requirement and the ESP encryption provides for the confidentiality =
requirement of NIST.
Think of AH that it is like just signing a PGPMail and ESP as signing =
and encrypting a PGPMail.
There are reasons for both.
Tom
