> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Frederic Detienne > Sent: Monday, November 14, 2011 8:52 PM > To: Paul Wouters > Cc: [email protected]; Yoav Nir; Vilhelm Jutvik > Subject: Re: [IPsec] Does ESP provide all functionality offered by AH? > > > Can you please explain your point about transport mode being bad ? We > do not see any problem with it in real world deployments. It is quite > the opposite actually. > > I agree that AH is a hindrance, especially that it protects the non- > mutable fields of the IP header and therefor prevents NAT and ToS re- > marking.
One minor correction: the DSCP field is mutable, and hence ToS remarking is not a problem. > I.e. the main difference between AH and ESP_NULL is really > this outer IP header protection which is detrimental in most practical > networks. > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
