>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    Andrew> interesting.  you are actually in a situation where you are using
    Andrew> ipsec to obscure yet do not trust the other party?  why waste
    Andrew> time on 
    Andrew> ipsec?  i assume from this, that ah would not help at all.

  1) Trust is not binary.

  2) I may trust party (a) differently than party (b), and I need to make 
     sure that they do not impersonate each other.

  3) IPsec is not just about VPNs. Many applications of it terminate the
     SA *in front* of the firewalling, not use IPsec to except the packets
     from the firewall. This is what this thread is about.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [