Steve Bellovin, on IPSEC, not-AH:
| [A] host's identity is represented by its certificate (I'm speaking a bit
| loosely here); its IP address is merely the way that packets reach it.
This is an example of two separate namespaces that allow one
to distinguish between "who" and "where". That the network
layer can be rewritten to the point of total protocol substitution
without interfering with the identification of who sent it
is a feature, adding enormous flexibility into the development
of network features.
That IPSEC can preserve the end-to-end integrity of the the
application-to-application data even in a rabidly-rewriting
environment makes one wonder why people are so fanatical
about preventing that rewriting at all!
(The important thing is that one knows that "Steve's Machine"
sent a packet that happened to arrive with a particular source
address, which for a while can be used to send replies back to
"Steve's Machine").
The only tricky thing here is having a "who" <-> "where" translation
readily available to the host.
Sean.
P.S.: Incidentally, I have no trouble whatsoever with the concept
of a last-hop-router before a host that can distinguish "who"
"where" being presented with a permanent, deterministic association
between the two. I also have no problem with the last-hop-router
moving "corewards" even several hops. The thing I want to prevent
is the requirement that ALL routers provide such a deterministic
permanent mapping between the two, because ultimately that makes
the Internet more expensive for everyone to use over time.
(It also makes a non-dual-stack transition to a new Internet protocol
much harder on the host side, and a non-ships-in-the-night deployment
in routers nearly impossible).