you really don't want to open this can of worms.... I suggest you go read the archives of the IPsec mailing list over the last 9 years. That should give you some clue into the depth of the can you plan to open...
-derek martin f krafft <[EMAIL PROTECTED]> writes: > As far as I can tell, IPsec's ESP has the functionality of > authentication and integrity built in: > > RFC 2406: > > 2.7 Authentication Data > > The Authentication Data is a variable-length field containing an > Integrity Check Value (ICV) computed over the ESP packet minus > the Authentication Data. The length of the field is specified by > the authentication function selected. The Authentication Data > field is optional, and is included only if the authentication > service has been selected for the SA in question. The > authentication algorithm specification MUST specify the length of > the ICV and the comparison rules and processing steps for > validation. > > To my knowledge, IPsec implementations use AH for "signing" though. > Why do we need AH, or why is it preferred? > > Thanks for your clarification! > > -- > martin; (greetings from the heart of the sun.) > \____ echo mailto: !#^."<*>"|tr "<*> mailto:" [EMAIL PROTECTED] > > invalid PGP subkeys? use subkeys.pgp.net as keyserver! > > XP is NT with eXtra Problems. -- Derek Atkins [EMAIL PROTECTED] www.ihtfp.com Computer and Internet Security Consultant --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]