Subject: Re: IP Tunneling I think ?
To: Jun-ichiro itojun Hagino <>
From: Craig Metz <>
List: tech-net
Date: 01/26/1999 23:27:15
In message <>, you write:
>> (Heiko W.Rupp) writes:
>>> I was hoping, that we 
>>> a) integrate IPsec soon
>>> b) find a way to actually distribute crypto things in our tree for all.
>>As a foot-in-the-door would it be possible to supply ipsec minus the
>>crypto?  Eg. deliver authentication options but no privacy options.
>	Yes that is possible, some of IPsec projects in US does that for
>	distribution to outside US.  I dunno how much demand are there
>	for "AH only" implementation, I believe people wants ESP too...

  The comment has been made by many people that any idiot can write ESP and AH,
and many have. They really aren't difficult to write, nor are they really a
hard problem to figure out.

  The "other stuff" you need to build a really useful IPsec implementation is
much harder to design, much harder to build, and much harder to get right. And
this same "other stuff" contain the pieces that need to go here and there in
the kernel.

  I don't think there's any shame in shipping an AH-only implementation that is
otherwise complete; if you do that, ESP will appear. This also allows you to
have something while you figure out the crypto legal/political issues.

  You wouldn't know it the way people talk, but AH alone *is* useful. There are
plenty of good uses for strong authentication. So just because you don't have
ESP doesn't mean you don't have something worthwhile.