Hi Nico,
 
> Advising (and updating said advice as circumstances change) 
> use-IPsec protocol designers as to when to use ESP and/or AH 
> is something we should do.  Deprecating AH seems like a nice 
> idea, but if there's good reasons to still use it, then maybe not.

We're not talking about deprecating or killing AH. I concede that I did allude 
to it in my first draft, but then changed the tone based on the WG feedback, to 
say that we should "avoid" AH wherever possible.

What we're trying to say is this:

1. If folks have a reason to use AH then they're most welcome to use it. 

2. If there are topologies where it makes only sense to use AH then do that. 
Ran pointed out to some very specific cases where it apparently makes sense to 
use AH and I have no problems with people using AH there. In the view of most 
people there isn't a need for AH in the service provider network and I am fine 
with a few people disagreeing with me. 

3. If there are newer protocols that cant use ESP-NULL for some reason and need 
to extend AH, then they should do that. All we're saying is that those folks 
should not arbitrarily extend AH. They should have a good reason for doing so.

In short, if ESP-NULL can do the job, then DON'T mandate AH - no point having 
multiple protocols doing the same stuff. If it cant, then either (i) fix ESP or 
(ii) go ahead and use AH. Pick up whichever is more elegant and preferred by 
the community.

I think that's all that we're trying to say here.

Cheers, Manav

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to