RE: linux-ipsec: IPSec & NAT

> If AH provides additional protection against some weakness in ESP's

The one useful thing that AH does, over and above what's done by ESP's built-in authentication (which is quite adequate for securing ESP), is that it also covers some of the fields of the surrounding header. This is a violation of layering and a nuisance to implement. Just how much security it adds is, well, is hotly debated.

Were basic IPSEC architectural decisions re-opened, there would be a sizable faction trying to kill AH entirely, on the grounds that the added hassle buys little or no extra security. However, it's not likely to happen, except perhaps in the vague and misty future if it turns out that nobody ever uses AH.

> Now, onto my next question. I'd eventually like to be able to use IPSec in

Right now, it simply looks like an interface. That will definitely change in 2.1.xxx, but just how is distinctly vague as yet. We'd like to move toward a unified routing/filtering/IPSEC assembly that you can configure as you wish, but the 2.1.xxx kernel hasn't settled down very well yet and it'll be a while before we have a clear picture of the impact on us.

> ...helpful if somewhere (maybe on the project's relatively terse web page)

This comes under the "we need better docs" heading, which unfortunately is not exactly a surprise to us. :-(

> Finally, I couldn't find any mention of whether DHCP support of the ipsec

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

That's because we're a long way away from making decisions like that yet... especially since it's unlikely that we will retain the awkward business of looking like an interface when we move to 2.1.xxx. If that day is much delayed, it's quite likely that our setup scripts will get smart enough to automatically pick up the address of the underlying interface, rather than having it statically configured. (I've come close to implementing that once or twice already.)

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)