On 04 Jan 2012, at 00:49 , Nico Williams wrote: > Advising (and updating said advice as circumstances change) > use-IPsec protocol designers as to when to use ESP and/or > AH is something we should do.
This has already been done. More than once. For a start, the latest IPsec RFCs contain advice. There are also other RFCs with such advice, including a relatively recent BCP on use of IPsec. There is no evidence of any recent change either to the operational circumstances or to the available alternatives. So no update is appropriate at this time. > Deprecating AH seems like a nice idea, but if there's good > reasons to still use it, then maybe not. There are deployments now and have been deployments all along -- and those deployments don't have any alternatives to AH. > In 2012 the use of manually keyed unicast SAs with > group shared keys is not exactly impressive (because not scalable). Actually, that assumption is not valid. There are multiple approaches to scalability available now. An obvious example is to use a KDC to distribute keys. Another example is to use existing provisioning systems to provision keys. ISPs have a wide range of provisioning systems, often locally developed. Enterprise users vary -- larger enterprises often have provisioning systems; smaller enterprise users less often (although their scale is also smaller). Many enterprise equipment vendors offer centralised management platforms that include provisioning capability, often multi-vendor provisioning capability. There is also a standards-based approach to configuration/provisioning -- using NetConf. There are even approaches that use RADIUS to distribute wrapped keys. Yours, Ran _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
