On Tue, 4 Mar 2014, RJ Atkinson wrote:
What meaning has "protecting" those bits? Endpoint A and B protect
something by cryptography, but any router in the middle can't trust
those signatures anyway. So I don't see how AH is different from
ESPinUDP where you set those options in the UDP header. These are
not "protected" but the router can't verify the crypto anyway.
At least some deployed routers in the middle in some deployments
ARE able to validate and therefore trust the AH values (and trust
that the IP options present were placed there by the sender). This
was ALWAYS something that was designed-in to AH (RFC-1826, Section 1.1).
Some other kinds of middleboxes (e.g. some firewalls) also can do this.
I was not aware of such deployments. Thanks for the information.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
