[148069] in North American Network Operators' Group
Re: Does anybody out there use Authentication Header (AH)?
daemon@ATHENA.MIT.EDU (TR Shaw)
Sun Jan 1 20:35:24 2012
From: TR Shaw <tshaw@oitc.com>
In-Reply-To: <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com>
Date: Sun, 1 Jan 2012 20:34:28 -0500
To: John Smith <jsmith4112003@yahoo.co.uk>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
John,
Unlike AH, ESP in transport mode does not provide integrity and =
authentication for the entire IP packet. However, in Tunnel Mode, =
where the entire original IP packet is encapsulated with a new packet =
header added, ESP protection is afforded to the whole inner IP packet =
(including the inner header) while the outer header (including any outer =
IPv4 options or IPv6 extension headers) remains unprotected. Thus, you =
need AH to authenticate the integrity of the outer header packet =
information.
Again, just like PGPMail as I explained before,
Tom
On Jan 1, 2012, at 7:32 PM, John Smith wrote:
> Hi Tom,
>=20
> Thanks for the reply.
>=20
> Why cant we use ESP/NULL for meeting the NIST requirement? Is there =
something extra that AH offers here?
>=20
> Regards,=20
> John
>=20
> From: TR Shaw <tshaw@oitc.com>
> To: John Smith <jsmith4112003@yahoo.co.uk>=20
> Cc: "nanog@nanog.org" <nanog@nanog.org>=20
> Sent: Monday, 2 January 2012, 5:57
> Subject: Re: Does anybody out there use Authentication Header (AH)?
>=20
>=20
> On Jan 1, 2012, at 7:12 PM, John Smith wrote:
>=20
> > Hi,
> >=20
> > I am trying to see if there are people who use AH specially since =
RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may =
not care about a MAY or a MUST in an RFC, but the IETF protocols and =
vendors do. So all protocols that require IPsec for authentication =
implicitly have a MAY for AH and a MUST for ESP-NULL.
> >=20
> > Given that there is hardly a difference between the two, I am trying =
to understand the scenarios where people might want to use AH? OR is it =
that people dont care and just use what their vendors provide them?
> >=20
> > Regards,
> > John
>=20
> AH provides for connectionless integrity and data origin =
authentication and provides protection against replay attacks. Many US =
Gov departments that have to follow NIST and do not understand what this =
means require it between internal point-to-point routers between one =
portion of their organization and another adding more expense for no =
increase in operational security.
>=20
> If you are following NIST or DCID-63, this is required to meet certain =
integrity requirements
>=20
> ESP provides confidentiality, data origin authentication, =
connectionless integrity, an anti-replay service, and limited traffic =
flow confidentiality. EG AH portion provides for the integrity =
requirement and the ESP encryption provides for the confidentiality =
requirement of NIST.
>=20
> Think of AH that it is like just signing a PGPMail and ESP as signing =
and encrypting a PGPMail.
>=20
> There are reasons for both.
>=20
> Tom
>=20
>=20
>=20
