>>>>> "Manav" == Manav Bhatia <Bhatia> writes:
Manav> Hopefully this will help us focus on the technical, rather
Manav> than the process related contents in the draft.
Manav> The message remains the same, which is that we should NOT use
Manav> AH for any newer applications and protocols since ESP with
Manav> NULL encryption algorithm is a better alternative.
Manav> Looking forward to hearing from the WG.
okay, I've read the draft, but your blanket statement that it is never
justified it wrong.
Your draft might ring truer if you limited your analysis to IPv4 only.
I've maintained for a long time that we will need AH functionality in
the future, but we haven't gotten there yet. SEND almost used it, and
the reason why we didn't, was because we had wrongly specified what to
do when we see an AH SPI# a host did not understand. This was sad.
I do not agree that WESP provides the service desired.
WESP requires cooperation (and therefore upgrade) of the end points.
What AH does that ESP NULL does not, is that it guarantees that the
things after the AH header are in fact in the clear. One can in fact,
ignore the AH header completely (even on the receiving node!), and still
process the entire packet. Not so with ESP!
AH is just another extension header in IPv6.
This property is simply undesireable for many security systems,
including all VPNs.
Having said all of this, I agree that for 99% of "Use IPsec"
statements, ESP-NULL is likely the correct choice.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
