>>>>> "RJ" == RJ Atkinson <rja.li...@gmail.com> writes:
>> Routers can't validate the integrity protection regardless of
>> whether AH or ESP-NULL in tunnel mode is used,
RJ> Disagree. Intermediate authentication can be performed by
RJ> routers/firewalls, at least when AH is used. The
RJ> router/firewall could then act on the options in the packet
RJ> having reasonable assurance that the option itself, and its
RJ> contents, were valid for that packet.
Just to add to this: this intermediate authentiation requires a
different key distribution protocol than most VPN vendors are used to.
In certain kinds of deployments, manually keyed AH and ESP is actually
not that unusual (to many intermediate nodes too), and it makes sense
for the small amount of traffic that is anticipated.
Ran, as you've been rather inactive in IPsec, I suspect that some people
might not know what pieces of code and specification you wrote, and who
paid you to write those pieces of code.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
