>>>>> "Jack" == Jack Kohn <[email protected]> writes:
    Jack> We all know the different extension headers that exist in
    Jack> IPv6.

    Jack> You said AH helps in securing IPv6 extension headers. I want
    Jack> to understand which extension header did you specifically have
    Jack> in mind.

let me ask a different question:  what's the savings in obsoleting AH,
given that RFC4301 already makes it optional, and many vendors have
already implemented, tested and deployed the code?

    Jack> So, whats the *real* operational risk that youre looking at?

    Jack> AH covers the destination IP and the source IP. If somebody
    Jack> changes them, IPsec processing will fail at the SPD checks. So
    Jack> what do you gain by doing this?

    Jack> Again, whats the *real* gain that we get by AH?

AH works for multicast, and could work even when the receiver does not have
the key.  

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition. 
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to