I was looking for a way to see which RFCs cite RFC-4302 (and RFC-2402). Is there one? Google
wasn't any help; although, the AI's response to "What cites rfc-4302?" is a great
imitation of Humphrey Appleby in "Yes Minister".
https://datatracker.ietf.org/doc/rfc4302/referencedby/
https://datatracker.ietf.org/doc/rfc2402/referencedby/
Regards/Ngā mihi
Brian Carpenter
On 03-Jan-26 12:40, Robinson, Herbie wrote:
From: Eliot Lear <[email protected]>
On 02.01.2026 13:24, Tom Herbert wrote:
We cannot prove no one is using it, however given the fact NAT breaks
AH and AH would break checksum offload (at least in LInux) the vast
majority of billions of computers couldn't use AH even if they wanted
to.
Just an FYI- there are implementations that DO use AH that would not generally
be impacted by NAT. These would be used in site-to-site VPNs and with OSPFv3.
AH is recommended by at least two vendors for use with OSPFv3 (specifically
with IPv6)[1,2]
to match the advice given in RFC 5340 [3] that neither been updated nor
obsoleted.
There are probably other RFCs hiding out there that use IPSEC as a crutch,
given that was common practice in the 1990s and early 2000s. If you're going
to deprecate AH,
you should probably do a little digging to see what we're in for.
Finally, I would advise against policy changes based on extrapolations.
Eliot
o The Cisco doc says you can use either AH or ESP. I didn't see anywhere where
they specifically recommend AH (but I was reading quickly).
o The Juniper doc linked to gives examples for setting up AH and doesn't
mention ESP. The page linked to at the bottom implies they also support ESP,
but it's not real clear.
Practically every hash and authentication algorithm listed in the vendor
examples is considered insecure. That doesn't necessarily mean anything, it
could just be out-of-date documentation. Up-to-date recommendations would
probably be to use GCM (which has to be ESP and is probably faster than any
secure hash used alone with the AH protocol). The only thing relevant I see
there is that configuration changes would be necessary if AH actually got
removed.
RFC-5340 refers to RFC-4552 -- The bulk of the IPSec discussion appears there. The key
phrase I see is "In order to provide authentication to OSPFv3, implementations MUST
support ESP and MAY support AH." It would appears that movement to deprecate AH was
already afoot.
In terms of Tom's document, I think maybe there should be a quick reference to
RFC-4552.
I was looking for a way to see which RFCs cite RFC-4302 (and RFC-2402). Is there one? Google
wasn't any help; although, the AI's response to "What cites rfc-4302?" is a great
imitation of Humphrey Appleby in "Yes Minister".
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
List Info: https://mailman3.ietf.org/mailman3/lists/[email protected]/
--------------------------------------------------------------------
_______________________________________________
Int-area mailing list -- [email protected]
To unsubscribe send an email to [email protected]
