On Thu, Jan 1, 2026, 5:59 PM Fernando Gont <[email protected]> wrote:
> > > On 31/12/2025 18:16, Tom Herbert wrote: > > On Wed, Dec 31, 2025 at 1:12 PM Brian E Carpenter > > <[email protected]> wrote: > >> > >> Hi, > >> > >> I'm no expert, but I think the Security Area might have an opinion on > this. > >> > >> Note that according to RFC 8221: > >> > >> "The last method that can be used is ESP+AH. This method is NOT > >> RECOMMENDED." > >> > >> "ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST > to > >> enable the use of ESP with only authentication, which is preferred > >> over AH due to NAT traversal." > >> > >> "As mentioned by [RFC7321], it is NOT > >> RECOMMENDED to use ESP with NULL authentication (with non- > >> authenticated encryption) in conjunction with AH; some > configurations > >> of this combination of services have been shown to be insecure > >> [PD10]." > >> > >> That seems pretty close to deprecation already. > > > > HI Brian, > > > > Indeed. I'm looking forward to completing the formal deprecation and > > removing the code from the OS (linux at least) :-). > > FWIW, if you're into that, you may start by disabling the feature by > default and/or implementing a sysctl to do so. > Hi Fernando > The first step would be to turn off compiling AH by default in Kconfig with a warning that it's deprecated. After that the code would be removed. Tom > > Thanks, > -- > Fernando Gont > e-mail: [email protected] > PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01 > >
_______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
