Phillip Hallam-Baker <[email protected]> wrote: > Phil, > The issue is not that ESP needs a NULL cipher. It's that AH > wouldn't traverse NAT, and so they needed ESP to do the work that AH > was designed to do.
> I understand that, though the fact that ESP with authentication would
> work through NAT but not AH seems remarkably odd to me. It suggests
> that the design is wrong.
> That flags a design error in the protocol AFIAK.
No, it's because NAT is an attack by a middle box on end to end flow, and
back in 1994, we didn't think anyone would be so stupid as to do that kind of
thing.
--
Michael Richardson <[email protected]>, Sandelman Software Works
pgph70PKYd16x.pgp
Description: PGP signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
