We all know the different extension headers that exist in IPv6.

You said AH helps in securing IPv6 extension headers. I want to
understand which extension header did you specifically have in mind.

You cant protect fragmentation header, since fragmentation is done
after IPsec processing and the reassembly is done before IPsec
processing.

In case of Hop-by-Hop and Destination Options Header, its only the
Option Type and the Option Length thats included in the AH ICV
calculation. The data may or may not be included depending upon
whether it can be modified in transit or not.

ESP does not include the Option Type nad the Length.

So, whats the *real* operational risk that youre looking at?

AH covers the destination IP and the source IP. If somebody changes
them, IPsec processing will fail at the SPD checks. So what do you
gain by doing this?

Again, whats the *real* gain that we get by AH?

Jack

On Tue, Jan 3, 2012 at 5:25 AM, RJ Atkinson <[email protected]> wrote:
>
> On 02  Jan 2012, at 18:25 , Jack Kohn wrote:
>>> Similar IPv6 examples exist.
>>
>> And i would like to know what those are.
>>
>> What about IPv6?
>
> As I noted, a range of examples exist for IPv6,
> and another range of examples exist for IPv4.
>
> If one is inclined to study further, one possible
> starting place is the IANA registries of IP options
> and optional headers.  Most, but sadly not all,
> currently defined IPv4 and IPv6 options are listed
> by IANA in various registries:
>
>        <http://www.iana.org>
>
> Yours,
>
> Ran
>
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to