We all know the different extension headers that exist in IPv6. You said AH helps in securing IPv6 extension headers. I want to understand which extension header did you specifically have in mind.
You cant protect fragmentation header, since fragmentation is done after IPsec processing and the reassembly is done before IPsec processing. In case of Hop-by-Hop and Destination Options Header, its only the Option Type and the Option Length thats included in the AH ICV calculation. The data may or may not be included depending upon whether it can be modified in transit or not. ESP does not include the Option Type nad the Length. So, whats the *real* operational risk that youre looking at? AH covers the destination IP and the source IP. If somebody changes them, IPsec processing will fail at the SPD checks. So what do you gain by doing this? Again, whats the *real* gain that we get by AH? Jack On Tue, Jan 3, 2012 at 5:25 AM, RJ Atkinson <[email protected]> wrote: > > On 02 Jan 2012, at 18:25 , Jack Kohn wrote: >>> Similar IPv6 examples exist. >> >> And i would like to know what those are. >> >> What about IPv6? > > As I noted, a range of examples exist for IPv6, > and another range of examples exist for IPv4. > > If one is inclined to study further, one possible > starting place is the IANA registries of IP options > and optional headers. Most, but sadly not all, > currently defined IPv4 and IPv6 options are listed > by IANA in various registries: > > <http://www.iana.org> > > Yours, > > Ran > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
