Hi Sean,
first, thanks for the collective compliment. But in fact I have seen two
recent cases where IPsec/IKE-related work did manage to sneak past this
workgroup until quite late in the process (
http://tools.ietf.org/html/draft-ietf-hokey-rfc5296bis-06,
http://tools.ietf.org/html/draft-ietf-dime-ikev2-psk-diameter-11). It
may be a matter of lack of communication or lack of energy, but these
things do happen. So I do see value in a draft that explicitly
recommends not using AH in general, and points out where AH does make sense.
Thanks,
Yaron
On 01/05/2012 05:31 AM, Sean Turner wrote:
Manav,
I'm trying to figure out whose implementation this situation will
create a problem for? If the new application or protocol ends up doing
one of the 3 things you listed
(http://www.ietf.org/mail-archive/web/ipsec/current/msg07401.html),
then is the problem that those who haven't implemented AH now have to?
Are there any new applications or protocols that are mandating the use
of AH?
Currently, I'm unconcerned about somebody sneaking a new protocol that
mandates AH past the IETF because of this group. This group certainly
isn't made up of shrinking violets ;)
spt
On 1/4/12 9:22 AM, Bhatia, Manav (Manav) wrote:
Hi Marc,
We don't say that. 4301 says that implementations MAY support AH and
MUST support ESP.
This creates a problem for implementations if in future a new
application or a protocol mandates the use of AH.
I will even go a step further and say that newer protocols should
just assume ESP-NULL and not even bother with AH if they can do with
just ESP.
Cheers, Manav
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; [email protected]
Subject: Re: [IPsec] Avoiding Authentication Header (AH)
"Manav" == Manav Bhatia<Bhatia> writes:
Manav> Hi Nico,
>> Advising (and updating said advice as circumstances change)
>> use-IPsec protocol designers as to when to use ESP and/or AH is
>> something we should do. Deprecating AH seems like a nice idea,
>> but if there's good reasons to still use it, then maybe not.
Manav> We're not talking about deprecating or killing AH. I concede
Manav> that I did allude to it in my first draft, but then changed
Manav> the tone based on the WG feedback, to say that we should
Manav> "avoid" AH wherever possible.
This is the status quo already.
Why do we need this draft?
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec