+1.
I know of a network whose owners are far more worried about a replay attack
than about data being revealed to the outside world.
They need to verify the provenance of data (i. e. Make sure that it hasn't
bee Natted), and AH is a simple way to do these precise things.
-David Barak
James
On Nov 16, 2009, at 9:07 PM, James Hess wrote:
> On Mon, Nov 16, 2009 at 6:23 PM, Jack Kohn wrote:
>> However, i still dont understand why AH would be preferred over
>> ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying
>> the OSPF packets. One could also do these things with
On Mon, Nov 16, 2009 at 6:23 PM, Jack Kohn wrote:
> However, i still dont understand why AH would be preferred over
> ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying
> the OSPF packets. One could also do these things with AH.
> Am i missing something?
Neither protects agains
I read the draft and its very interesting. There were some issues that
i had never imagined could exist and it does a wonderful job of
brining them forth.
However, i still dont understand why AH would be preferred over
ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying
the OSPF
Bill Fehring wrote:
> On Sun, Nov 15, 2009 at 20:48, Joel Jaeggli wrote:
>> Owen DeLong wrote:
>>> I've never seen anyone use AH vs. ESP.
>> OSPFv3?
>
> Maybe I'm asking a dumb question, but why would one prefer AH over ESP
> for OSPFv3?
Header protection... still doesn't provide replay protec
On Sun, Nov 15, 2009 at 20:48, Joel Jaeggli wrote:
> Owen DeLong wrote:
>> I've never seen anyone use AH vs. ESP.
>
> OSPFv3?
Maybe I'm asking a dumb question, but why would one prefer AH over ESP
for OSPFv3?
RFC4552:
"In order to provide authentication to OSPFv3, implementations MUST
support ES
Owen DeLong wrote:
> I've never seen anyone use AH vs. ESP.
OSPFv3?
> I've always used ESP and so has
> every other IPSEC implementation I've seen anyone do.
>
> Owen
>
> On Nov 13, 2009, at 4:22 PM, Jack Kohn wrote:
>
>> Hi,
>>
>> Interesting discussion on the utility of Authentication Heade
No - if you read the below pointers carefully it does specify that
ESP-Null is a MUST for OSPFv3 authentication protocol while AH is a
MAY. AH is mostly superfluous and complicates implementations.
Someone on the IPsec mailing list stated that at least two
implementations he was aware of u
On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:
On Nov 14, 2009, at 8:28 PM, David Barak wrote:
I've seen AH used as a "prove that this hasn't been through a NAT"
mechanism. In this context, it's pretty much perfect.
However, what I don't understand is where the dislike for it
orig
On Sat, 14 Nov 2009, Jack Kohn wrote:
Hi,
Interesting discussion on the utility of Authentication Header (AH) in
IPSecME WG.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
Post explaining that AH even though protecting the source and
destination IP addresses is really not
On Nov 14, 2009, at 8:28 PM, David Barak wrote:
> I've seen AH used as a "prove that this hasn't been through a NAT" mechanism.
> In this context, it's pretty much perfect.
>
> However, what I don't understand is where the dislike for it originates: if
> you don't like it, don't run it. It i
I've seen AH used as a "prove that this hasn't been through a NAT"
mechanism. In this context, it's pretty much perfect.
However, what I don't understand is where the dislike for it originates: if you
don't like it, don't run it. It is useful in certain cases, and it's already
in all of the p
On Nov 14, 2009, at 2:46 PM, Adam Stasiniewicz wrote:
> I have see AH used in network segmentation. I.e. systems is group A are
> configured with rules to require all communication be over AH. Systems in
> group B (which have no AH and no appropriate certificates configured) can't
> chat with g
I have see AH used in network segmentation. I.e. systems is group A are
configured with rules to require all communication be over AH. Systems in
group B (which have no AH and no appropriate certificates configured) can't
chat with group A. The benefit of using AH vs. ESP in this case is twofold
I prefer letting the market deprecate things. If no one uses AH, someday the
IETF can mark it as "Historic," but long before that there will come a time
when no one is interested in doing any more work on it. I was at the IETF
IPsec WG meeting (in Los Angeles in the mid-90s) when AH would have died
Junos VRRP with md5 authentication does.
On Sat, 2009-11-14 at 07:57 +0530, Jack Kohn wrote:
> So who uses AH and why?
>
> Jack
>
> On Sat, Nov 14, 2009 at 6:19 AM, Owen DeLong wrote:
> > I've never seen anyone use AH vs. ESP. I've always used ESP and so has
> > every other IPSEC implement
If I recall correctly what an implementor once told me, the work
involved in taking the fields that are immutable, then hashing
packet, then sticking those immutable fields back in is actually more
work than encrypting. Surprised me at the time but seems to be the
case.
- merike
On No
I've seen some vendor implementations in which ESP actually outperformed AH
during performance testing... go figure...
Stefan Fouant
--Original Message--
From: Jack Kohn
To: nanog@nanog.org
Subject: AH is pretty useless and perhaps should be deprecated
Sent: Nov 13, 2009 7:22 PM
Hi,
Int
So who uses AH and why?
Jack
On Sat, Nov 14, 2009 at 6:19 AM, Owen DeLong wrote:
> I've never seen anyone use AH vs. ESP. I've always used ESP and so has
> every other IPSEC implementation I've seen anyone do.
>
> Owen
>
> On Nov 13, 2009, at 4:22 PM, Jack Kohn wrote:
>
>> Hi,
>>
>> Interesting
I've never seen anyone use AH vs. ESP. I've always used ESP and so has
every other IPSEC implementation I've seen anyone do.
Owen
On Nov 13, 2009, at 4:22 PM, Jack Kohn wrote:
Hi,
Interesting discussion on the utility of Authentication Header (AH) in
IPSecME WG.
http://www.ietf.org/mail-arc
20 matches
Mail list logo
