| Main Archive Page > Month Archives > ipsec archives |
Re: [IPsec] Avoiding Authentication Header (AH)
From: Bhatia, Manav (Manav) <manav.bhatia_at_nospam>Date: Wed Jan 04 2012 - 14:22:12 GMT
To: "mcr@sandelman.ca" <mcr@sandelman.ca>
Hi Marc,
We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.
This creates a problem for implementations if in future a new application or a protocol mandates the use of AH.
I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.
Cheers, Manav
-----Original Message-----
From: mcr@sandelman.ca [mailto:mcr@sandelman.ca]
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; ipsec@ietf.org
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
>>>>> "Manav" == Manav Bhatia <Bhatia> writes:
Manav> Hi Nico,
>> Advising (and updating said advice as circumstances change)
>> use-IPsec protocol designers as to when to use ESP and/or AH is
>> something we should do. Deprecating AH seems like a nice idea,
>> but if there's good reasons to still use it, then maybe not.
Manav> We're not talking about deprecating or killing AH. I concede
Manav> that I did allude to it in my first draft, but then changed
Manav> the tone based on the WG feedback, to say that we should
Manav> "avoid" AH wherever possible.
This is the status quo already.
Why do we need this draft?
-- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr_at_sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec