ipsec January 2012 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Avoiding Authentication Header (AH)

Re: [IPsec] Avoiding Authentication Header (AH)

From: Bhatia, Manav (Manav) <manav.bhatia_at_nospam>
Date: Wed Jan 04 2012 - 14:22:12 GMT
To: "mcr@sandelman.ca" <mcr@sandelman.ca>

Hi Marc,

We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.

This creates a problem for implementations if in future a new application or a protocol mandates the use of AH.

I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.

Cheers, Manav

-----Original Message-----
From: mcr@sandelman.ca [mailto:mcr@sandelman.ca]
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; ipsec@ietf.org
Subject: Re: [IPsec] Avoiding Authentication Header (AH)

>>>>> "Manav" == Manav Bhatia <Bhatia> writes:
    Manav> Hi Nico,
>> Advising (and updating said advice as circumstances change)
>> use-IPsec protocol designers as to when to use ESP and/or AH is
>> something we should do. Deprecating AH seems like a nice idea,
>> but if there's good reasons to still use it, then maybe not.

    Manav> We're not talking about deprecating or killing AH. I concede
    Manav> that I did allude to it in my first draft, but then changed
    Manav> the tone based on the WG feedback, to say that we should
    Manav> "avoid" AH wherever possible.

This is the status quo already.
Why do we need this draft?

-- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr_at_sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec