Manav,
I'm trying to figure out whose implementation this situation will create
a problem for? If the new application or protocol ends up doing one of
the 3 things you listed
(http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html), then
is the problem that those who haven't implemented AH now have to?
Are there any new applications or protocols that are mandating the use
of AH?
Currently, I'm unconcerned about somebody sneaking a new protocol that
mandates AH past the IETF because of this group. This group certainly
isn't made up of shrinking violets ;)
spt
On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
Hi Marc,
We don't say that. 4301 says that implementations MAY support AH and MUST
support ESP.
This creates a problem for implementations if in future a new application or a
protocol mandates the use of AH.
I will even go a step further and say that newer protocols should just assume
ESP-NULL and not even bother with AH if they can do with just ESP.
Cheers, Manav
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; [email protected]
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
"Manav" == Manav Bhatia<Bhatia> writes:
Manav> Hi Nico,
>> Advising (and updating said advice as circumstances change)
>> use-IPsec protocol designers as to when to use ESP and/or AH is
>> something we should do. Deprecating AH seems like a nice idea,
>> but if there's good reasons to still use it, then maybe not.
Manav> We're not talking about deprecating or killing AH. I concede
Manav> that I did allude to it in my first draft, but then changed
Manav> the tone based on the WG feedback, to say that we should
Manav> "avoid" AH wherever possible.
This is the status quo already.
Why do we need this draft?
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec