[148065] in North American Network Operators' Group
Re: Does anybody out there use Authentication Header (AH)?
daemon@ATHENA.MIT.EDU (John Smith)
Sun Jan 1 19:33:00 2012
Date: Mon, 2 Jan 2012 00:32:08 +0000 (GMT)
From: John Smith <jsmith4112003@yahoo.co.uk>
To: TR Shaw <tshaw@oitc.com>
In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Reply-To: John Smith <jsmith4112003@yahoo.co.uk>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Tom,=0A=0AThanks for the reply.=0A=0AWhy cant we use ESP/NULL for meetin=
g the NIST requirement? Is there something extra that AH offers here?=0A=0A=
Regards,=A0=0AJohn=0A=0A=0A________________________________=0A From: TR Sha=
w <tshaw@oitc.com>=0ATo: John Smith <jsmith4112003@yahoo.co.uk> =0ACc: "nan=
og@nanog.org" <nanog@nanog.org> =0ASent: Monday, 2 January 2012, 5:57=0ASub=
ject: Re: Does anybody out there use Authentication Header (AH)?=0A =0A=0AO=
n Jan 1, 2012, at 7:12 PM, John Smith wrote:=0A=0A> Hi,=0A> =0A> I am tryin=
g to see if there are people who use AH specially since RFC 4301 has a MAY =
for AH and a MUST for ESP-NULL. While operators may not care about a MAY or=
a MUST in an RFC, but the IETF protocols and vendors do. So all protocols =
that require IPsec for authentication implicitly have a MAY for AH and a MU=
ST for ESP-NULL.=0A> =0A> Given that there is hardly a difference between t=
he two, I am trying to understand the scenarios where people might want to =
use AH? OR is it that people dont care and just use what their vendors prov=
ide them?=0A> =0A> Regards,=0A> John=0A=0AAH provides for=A0 connectionless=
integrity and data origin authentication and provides protection against r=
eplay attacks.=A0 Many US Gov departments that have to follow NIST and do n=
ot understand what this means require it between internal point-to-point ro=
uters between one portion of their organization and another adding more exp=
ense for no increase in operational security.=0A=0AIf you are following NIS=
T or DCID-63, this is required to meet certain integrity requirements=0A=0A=
ESP provides confidentiality,=A0 data origin authentication,=A0 connectionl=
ess integrity,=A0 an anti-replay service,=A0 and limited traffic flow confi=
dentiality.=A0 EG AH portion provides for the integrity requirement and the=
ESP encryption provides for the confidentiality requirement of NIST.=0A=0A=
Think of AH that it is like just signing a PGPMail and ESP as signing and e=
ncrypting a PGPMail.=0A=0AThere are reasons for both.=0A=0ATom
