As far as I can tell, IPsec's ESP has the functionality of
authentication and integrity built in:

RFC 2406:

   2.7 Authentication Data

   The Authentication Data is a variable-length field containing an
   Integrity Check Value (ICV) computed over the ESP packet minus
   the Authentication Data.  The length of the field is specified by
   the authentication function selected.  The Authentication Data
   field is optional, and is included only if the authentication
   service has been selected for the SA in question.  The
   authentication algorithm specification MUST specify the length of
   the ICV and the comparison rules and processing steps for

To my knowledge, IPsec implementations use AH for "signing" though.
Why do we need AH, or why is it preferred?

Thanks for your clarification!

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
invalid PGP subkeys? use as keyserver!
XP is NT with eXtra Problems.

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to