AH and ESP can theoretically be applied in combination with each other to exploit the strengths of both protocols but, in most real-world scenarios, ESP alone is enough.
When used together, AH authentication and ESP encryption results in a higher percentage increase in network load for small files when compared to ESP encryption and authentication. If the percentage of small files sent over a network is significant and the network has limited bandwidth (wireless?), then its always better to use ESP instead of AH to provide authentication. I am yet to come across a really compelling argument in favor of AH. A small nit - You should also mention RFC 5879 - "Heuristics for Detecting ESP-NULL Packets" along side RFC 5840 - WESP when you discuss deep inspecting ESP-NULL packets. Sriram On Fri, Dec 30, 2011 at 12:21 AM, Bhatia, Manav (Manav) <[email protected]> wrote: > Hi, > > We have had several discussions in the past about the utility of AH when ESP > with NULL encryption offers everything that AH has to offer. I have written a > very small draft that recommends moving AH to the Historic status. This > document does NOT deprecate AH and it does NOT mean that people should stop > using AH now. All it means is that other WGs should use ESP-NULL whenever > defining integrity verification mechanisms and should only use AH when > authentication cannot be achieved with ESP-NULL. I also discuss a few points > that people usually put in favor of AH over ESP and why I think that those > are not very relevant. > > I would love to hear feedback from the WG. > > The URL for the draft is: > http://www.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt > > Happy New Year in advance! > > Cheers, Manav > > From: [email protected] > To: [email protected] > Reply-to: [email protected] > Subject: I-D Action: draft-bhatia-moving-ah-to-historic-00.txt > X-RSN: 1/0/935/40711/44097 > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > Title : Moving Authentication Header (AH) to Historic > Author(s) : Manav Bhatia > Filename : draft-bhatia-moving-ah-to-historic-00.txt > Pages : 5 > Date : 2011-12-29 > > This document recommends retiring Authentication Header (AH) and > discusses the reasons for doing so. It recommends moving RFC 4302 to > Historic status. > > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-bhatia-moving-ah-to-historic-00.txt > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
