[Cryptography] Two quick questions about IPsec AH
Dan McDonald
danmcd at kebe.com
Tue Jan 4 14:01:23 EST 2022
On Jan 3, 2022, at 10:21 PM, R Perlman <radiajpc at gmail.com> wrote:
>
> 1) Is anyone using it, or are they just using ESP?
Most use ESP. AH was specified separately for two reasons:
1.) Easier to export if that part of the govt. got their knickers in a twist.
2.) It was a belief at the time (mid/early 90s) that source routing header attacks were a thing and that AH would help protect against them. It was, in hindsight, a mistaken belief.
> 2) The length field in AH is expressed in units of 4 bytes, and AH in general was made to look like an IPv6 extension header, but IPv6 extension headers have the length expressed in multiples of 8 bytes. Is there an interesting story there?
I'd have to go through my notes... I joined NRL not long after those were specified, and I may have some historical context. ISTR it might have something to do with making it IPv4 compatible.... yeah, as I type that, it makes more sense.
Both AH and ESP were originally designed as part of the IPng effort (SIP, then SIPP, then IPv6 in NRL's case), but AH and ESP were the first IPng features to be backported to IPv4. They were NOT the last, however.
Dan
More information about the cryptography
mailing list