Hello again, I was hoping to avoid a discussion on the merits of AH versus ESP.
ESP does provide authentication but in the context of of integrity check value for the IPv6 payload not the IPv6 header. Additionally from what I've read ESP authentication optional, therefore my follow up question is, "Is there a way to turn off optional ESP authentication in OpenBSD?" But back to my original question. One of the requirements we have is to use both AH and ESP. Is there a way to this in OpenBSD? We got another OSs to use both AH and ESP, but I'd personally like to get OpenBSD involved in a more the heterogeneous testbed. Cheers, -----Original Message----- >From: t...@fries.net >Sent: Jan 2, 2009 11:36 AM >To: Felipe Alfaro Solana <felipe.alf...@gmail.com> >Cc: fortunato.montre...@earthlink.net, misc@openbsd.org >Subject: Re: AH+ESP and IPv6 > >If ESP does not decrypt, the payload is invalid. Adding AH adds no further >functionality other than to thwart any attempts at NAT. >-- >Todd Fries .. t...@fries.net > > _____________________________________________ >| \ 1.636.410.0632 (voice) >| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) >| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) >| "..in support of free software solutions." \ 250797 (FWD) >| \ > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > http://todd.fries.net/pgp.txt > >Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have: >| On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries <t...@fries.net> wrote: >| >| > The other answer is, ESP provides AH, therefore AH is deprecated. >| >| >| What do you mean? That OpenBSD's implementation of ESP automatically uses AH >| too? (payload inside AH inside ESP?) Because ESP only provides >| authentication for the payload only but not for the IP header. That's why AH >| is useful. >| >| Unless you really really want to play with AH to verify it works and such >| > (which the below suggests it does not) ... >| > -- >| > Todd Fries .. t...@fries.net >| > >| > _____________________________________________ >| > | \ 1.636.410.0632 (voice) >| > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) >| > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) >| > | "..in support of free software solutions." \ 250797 (FWD) >| > | \ >| > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >| > >| > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A >| > http://todd.fries.net/pgp.txt >| > >| > Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: >| > | On Tue, Dec 30, 2008 at 9:29 PM, <fortunato.montre...@earthlink.net> >| > wrote: >| > | >| > | > I'm trying to use both AH and ESP to setup IPsec using Transport mode >| > | > between two IPv6 OpenBSD 4.4 hosts. >| > | > >| > | > So far it worked for AH Transport mode or ESP Transport mode but I >| > don't >| > | > quite know how to do both AH and ESP. Any ideas? >| > | > >| > | > Here's a snippet from /etc/ipsec.conf : >| > | > >| > | > ike esp transport from 2001::10 to 2001::5 psk "secret" >| > | > >| > | > The tried the following (and vice versa - ah vice esp). >| > | > >| > | > ike esp transport from 2001::10 to 2001::5 psk "secret" >| > | > flow ah from 2001::10 to 2001::5 >| > | > >| > | > I'm not sure either. >| > | >| > | Since you can apply ESP then AH, or apply AH and then ESP (depending on >| > | what's more important for you, the digital signature or the encryption) >| > it's >| > | not obvious to me how to do it. >| > | >| > | -- >| > | http://www.felipe-alfaro.org/blog/disclaimer/ >| > >| >| >| >| -- >| http://www.felipe-alfaro.org/blog/disclaimer/
