Bhatia, Manav (Manav) writes:
> Hi Sean,
> 
> All I am saying is this:
> 
> There are many implementations that don't support AH as 4301 has a
> MAY support clause for AH.

Just noting that same is true for WESP. It is not mandatory to
implement, and I would claim there are way more implementations out
there supporting AH than there are supporting WESP. 

> Even within IETF there could be WGs looking at using or extending
> AH.

If there are some, just point us to them... anyways extending AH would
clearly require comments from the IPsec community so doing such thing
and not getting comments from this list would (or at least should) be
impossible.

> Given that ESP does everything useful that AH does, it makes no
> sense to continue using AH. I think we should have a draft that says
> this. However, there are some very corner cases where it *may* make
> sense to use AH (though I am still a little unconvinced, but I'll
> concede for the sake of moving on) and people are most welcome to do
> that.

ESP-NULL does not provide the "reliable 100% proof" ability to parse
past the header. WESP does, but that is in the same category in the
implementations than AH (MAY), so that does not help.

Heuristics does provide a way to parse past the headers, but people
claim it is not reliable enough for them, and again it is in same
category in the implementations. Altough deploying heuristics
implementation is faster as it only requires changes to middleboxes
not end nodes...

> If a WG ends up mandating AH (when ESP could have been used) then
> Yes it's a problem for everyone, right from the vendors to the
> users, who have to now support AH too in their products and
> networks.

If WG wants to mandate AH, and we cannot convince them otherwise,
having a document which says so does not help. On the other hand if we
have stealth WG trying to sneak AH past IPsec community, I think they
will also conviently ignore this document too.

In summary I do not think there is problem, and I do not think we need
to say anything about AH right now.
-- 
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to