The Linux FreeS/WAN Project

Introduction     Online Documentation     FreeS/WAN Download     Old News     Related Tools     Helping Out     Bug Reports     Maillist & Archives     IPSEC Community     History & Politics     Credits     Home Page   !Lights!

AH removed from FreeS/WAN

   The largely unused AH (Authentication Header) has been removed from FreeS/WAN. FreeS/WAN is still able to authenticate packets via ESP (Encapsulating Security Protocol). Formerly the default, this is now the only available method. The change will affect few users, and most of those affected can set their peer IPsec implementation to use ESP authentication.

   FreeS/WAN aims to be a lightweight security product, free from extra features which introduce increased complexity, and therefore increased security risk. As a result it has historically offered a limited subset of the IPsec protocols, and current development continues to streamline its offerings.

   Concerning AH in particular, Niels Ferguson and Bruce Schneier have argued in A Cryptographic Evaluation of IPsec that the choice of two authentication methods, AH and ESP, adds complexity (and therefore increased security risk) to the IPsec protocols. On this basis, they recommended that AH be removed from IPsec, and that ESP be modified to provide authentication in every case. FreeS/WAN 2.05 has put these recommendations into practise.

   As of release 2.05, it is no longer legal to set auth=ah in FreeS/WAN's ipsec.conf configuration file, or to use its ah-specific options: ah, ahkey, ahreplay_window and leftahspi. Behind the scenes, AH no longer appears in KLIPS (FreeS/WAN's kernel component) or ipsec whack (the scripts that control FreeS/WAN's pluto keying daemon).