[148143] in North American Network Operators' Group
Re: Does anybody out there use Authentication Header (AH)?
daemon@ATHENA.MIT.EDU (Jack Kohn)
Wed Jan 4 10:56:38 2012
In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com>
Date: Wed, 4 Jan 2012 21:25:49 +0530
From: Jack Kohn <kohn.jack@gmail.com>
To: TR Shaw <tshaw@oitc.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Tom,
It seems NIST recommends ESP over AH.
You can look at the following 2 emails from Manav and Sriram on the IPsecME=
WG:
http://www.ietf.org/mail-archive/web/ipsec/current/msg07403.html
http://www.ietf.org/mail-archive/web/ipsec/current/msg07407.html
Jack
On Mon, Jan 2, 2012 at 5:57 AM, TR Shaw <tshaw@oitc.com> wrote:
>
> On Jan 1, 2012, at 7:12 PM, John Smith wrote:
>
>> Hi,
>>
>> I am trying to see if there are people who use AH specially since RFC 43=
01 has a MAY for AH and a MUST for ESP-NULL. While operators may not care a=
bout a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So a=
ll protocols that require IPsec for authentication implicitly have a MAY fo=
r AH and a MUST for ESP-NULL.
>>
>> Given that there is hardly a difference between the two, I am trying to =
understand the scenarios where people might want to use AH? OR is it that p=
eople dont care and just use what their vendors provide them?
>>
>> Regards,
>> John
>
> AH provides for =A0connectionless integrity and data origin authenticatio=
n and provides protection against replay attacks. =A0Many US Gov department=
s that have to follow NIST and do not understand what this means require it=
between internal point-to-point routers between one portion of their organ=
ization and another adding more expense for no increase in operational secu=
rity.
>
> If you are following NIST or DCID-63, this is required to meet certain in=
tegrity requirements
>
> ESP provides confidentiality, =A0data origin authentication, =A0connectio=
nless integrity, =A0an anti-replay service, =A0and limited traffic flow con=
fidentiality. =A0EG AH portion provides for the integrity requirement and t=
he ESP encryption provides for the confidentiality requirement of NIST.
>
> Think of AH that it is like just signing a PGPMail and ESP as signing and=
encrypting a PGPMail.
>
> There are reasons for both.
>
> Tom
>
>
