[Cryptography] Two quick questions about IPsec AH
Paul Wouters
paul at nohats.ca
Sat Jan 8 12:31:09 EST 2022
On Thu, 6 Jan 2022, Christian Huitema wrote:
> Definitely an issue. AH does not work with NAT. ESP mode is better, because it does work with some NAT -- those that have been upgraded to
> support it. But then, not all NATs have been, so in practice we end up with IPSEC over UDP (RFC 3948), or even SSL VPN.
And SSL VPNs again being obsoleted by IKEv2 and ESP over TCP in RFC
8229. This RFC is interesting in that it basically uses a prefix of
"IKETCP". The RFC does not really clearly say why because it cannot. It
is of course to ensure you can run it on port 443 and demultiplex the
stream to break through firewalls just like SSL VPNs do - by looking
like HTTPS traffic. But the IETF cannot say that out loud. If you look
in earlier drafts, you see this mentioned clearly, but the RFC makes
no mention of TLS or port 443.
Paul
More information about the cryptography
mailing list