Date: 23 Apr 2004 08:02:15 -0400 From: Greg Troxel <gdt@ir.bbn.com> To: "Dan Langille" <dan@langille.org> Cc: freebsd-security@FreeBSD.org Subject: Re: IPsec - got ESP going, but not AH Message-ID: <rmismeuucl4.fsf@fnord.ir.bbn.com> In-Reply-To: <40885ECF.22456.1C68F42E@localhost> References: <40885ECF.22456.1C68F42E@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
While this should probably work, it's more straightforward to use ESP
with integrity protection. That is, use a -A hmac-sha1 argument also
to ESP. (hmac-md5 is probably still fine, but sha1 goes better
strength-wise with rijndael-cbc.)
I believe that in tunnel mode AH and ESP integrity are essentially
identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you
really want to understand. In transport mode, AH protects parts of
the original (and only) IP header.
--
Greg Troxel <gdt@ir.bbn.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rmismeuucl4.fsf>