AH is pretty useless and perhaps should be deprecated

James Hess mysidia at gmail.com
Mon Nov 16 20:07:31 CST 2009


On Mon, Nov 16, 2009 at 6:23 PM, Jack Kohn <kohn.jack at gmail.com> wrote:
> However, i still dont understand why AH would be preferred over
> ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying
> the OSPF packets. One could also do these things with AH.
> Am i missing something?

Neither protects against replay without additional measures.
However,  AH  is very close...   consider using  AH-authenticated
packets with the timestamp option   and  clock synchronization between
peers.
Discard packets arriving that are more than 5 minutes old.

In transport mode for security between LAN peers, ESP NULL  verifies
the integrity of only the data  payload in the packet.  AH  secures
the header,  the IP header fields and options.

Therefore changing the timestamp to replay would  be detected.
This evil act would not be detected if you are using ESP NULL,  the
attacker can potentially replay this packet, while the SPI is still
good, and you'll never know.



One of AH's  most visible disadvantages (cannot be used with NAT) is a
side-effect of the increased security coverage it provides.  Many IPv4
 networks  require NAT,  making  AH  impractical.

However,  matters  could change for  IPv6  networks  with  high
security requirements,   that need to validate authenticity of more
than just packet contents...

--
-J




More information about the NANOG mailing list