On Monday, February 3, 2003, at 03:51 AM, Christopher Lyon wrote:
I am sure AH and ESP doesn't care if the IP checksum changes becauseUnfortunately, AH does care. It's checksums are on the whole packet, rather than just the payload. NATing an AH packet invalidates it. On the plus side, almost nobody uses AH, since it only provides authentication and lacks privacy. If you need that kind of functionality, you could run ESP with a null cipher.
that is just down one layer. ESP and AH are separate from TCP and UDP so
most firewall's won't even perform NAT on these packets.
I've noticed a number of IPsec products have dropped AH support over the past couple of years in favor of ESP w/null cipher....
--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
