On 15 Nov 2011, at 12:46, Scott Fluhrer (sfluhrer) wrote:
>
>
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]] On Behalf
>> Of Frederic Detienne
>> Sent: Monday, November 14, 2011 8:52 PM
>> To: Paul Wouters
>> Cc: [email protected]; Yoav Nir; Vilhelm Jutvik
>> Subject: Re: [IPsec] Does ESP provide all functionality offered by AH?
>>
>>
>> Can you please explain your point about transport mode being bad ? We
>> do not see any problem with it in real world deployments. It is quite
>> the opposite actually.
>>
>> I agree that AH is a hindrance, especially that it protects the non-
>> mutable fields of the IP header and therefor prevents NAT and ToS re-
>> marking.
>
> One minor correction: the DSCP field is mutable, and hence ToS remarking
> is not a problem.
you are right. Thanks for the correction! :-)
fred
>> I.e. the main difference between AH and ESP_NULL is really
>> this outer IP header protection which is detrimental in most practical
>> networks.
>>
>
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
