you really don't want to open this can of worms....  I suggest you
go read the archives of the IPsec mailing list over the last 9
years.  That should give you some clue into the depth of the
can you plan to open...


martin f krafft <[EMAIL PROTECTED]> writes:

> As far as I can tell, IPsec's ESP has the functionality of
> authentication and integrity built in:
> RFC 2406:
>    2.7 Authentication Data
>    The Authentication Data is a variable-length field containing an
>    Integrity Check Value (ICV) computed over the ESP packet minus
>    the Authentication Data.  The length of the field is specified by
>    the authentication function selected.  The Authentication Data
>    field is optional, and is included only if the authentication
>    service has been selected for the SA in question.  The
>    authentication algorithm specification MUST specify the length of
>    the ICV and the comparison rules and processing steps for
>    validation.
> To my knowledge, IPsec implementations use AH for "signing" though.
> Why do we need AH, or why is it preferred?
> Thanks for your clarification!
> -- 
> martin;              (greetings from the heart of the sun.)
>   \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
> invalid PGP subkeys? use as keyserver!
> XP is NT with eXtra Problems.

       Derek Atkins                 
       Computer and Internet Security Consultant

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to