Hi Sean,

first, thanks for the collective compliment. But in fact I have seen two recent cases where IPsec/IKE-related work did manage to sneak past this workgroup until quite late in the process ( http://tools.ietf.org/html/draft-ietf-hokey-rfc5296bis-06, http://tools.ietf.org/html/draft-ietf-dime-ikev2-psk-diameter-11). It may be a matter of lack of communication or lack of energy, but these things do happen. So I do see value in a draft that explicitly recommends not using AH in general, and points out where AH does make sense.

Thanks,
Yaron

On 01/05/2012 05:31 AM, Sean Turner wrote:
Manav,

I'm trying to figure out whose implementation this situation will create a problem for? If the new application or protocol ends up doing one of the 3 things you listed (http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html), then is the problem that those who haven't implemented AH now have to?

Are there any new applications or protocols that are mandating the use of AH?

Currently, I'm unconcerned about somebody sneaking a new protocol that mandates AH past the IETF because of this group. This group certainly isn't made up of shrinking violets ;)

spt

On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
Hi Marc,

We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.

This creates a problem for implementations if in future a new application or a protocol mandates the use of AH.

I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.

Cheers, Manav

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; [email protected]
Subject: Re: [IPsec] Avoiding Authentication Header (AH)


"Manav" == Manav Bhatia<Bhatia> writes:
Manav> Hi Nico,

>> Advising (and updating said advice as circumstances change)
>> use-IPsec protocol designers as to when to use ESP and/or AH is
>> something we should do. Deprecating AH seems like a nice idea,
>> but if there's good reasons to still use it, then maybe not.

Manav> We're not talking about deprecating or killing AH. I concede
Manav> that I did allude to it in my first draft, but then changed
Manav> the tone based on the WG feedback, to say that we should
Manav> "avoid" AH wherever possible.

This is the status quo already.
Why do we need this draft?

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to