On 02.01.2026 13:24, Tom Herbert wrote:
We cannot prove no one is using it, however given the fact NAT breaks AH and AH would break checksum offload (at least in LInux) the vast majority of billions of computers couldn't use AH even if they wanted to.
Just an FYI- there are implementations that DO use AH that would not generally be impacted by NAT. These would be used in site-to-site VPNs and with OSPFv3. AH is recommended by at least two vendors for use with OSPFv3 (specifically with IPv6)[1,2] to match the advice given in RFC 5340 [3] that neither been updated nor obsoleted. There are probably other RFCs hiding out there that use IPSEC as a crutch, given that was common practice in the 1990s and early 2000s. If you're going to deprecate AH, you should probably do a little digging to see what we're in for.
Finally, I would advise against policy changes based on extrapolations. Eliot[1] https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ip-routing/b-ip-routing/m_ip6-route-ospfv3-auth-ipsec.html
[2] https://supportportal.juniper.net/s/article/OSPFv3-authentication [3] https://datatracker.ietf.org/doc/rfc5340/
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
