On Wed, 2 Apr 2014, RJ Atkinson wrote:
The IPsec community generally prefers ESP with NULL encryption over AH.
AH is still required in some protocols and operational environments
when there are security-sensitive options in the IP header, such as
source routing headers.
This does not make clear that ESP can't protect the IP options,
which is an important-to-document limitation of ESP.
In my 15 years of IPsec work, I've hardly seen requests for AH. When our
KLIPS stack per default disabled AH support in the kernel module, no one
complained.
It also should mention IP sensitivity label options, such as RFC-1108
and RFC-5570 as a use case for AH, in addition to source-routing headers.
There are people that still accept source routing? How archaic....
I'm with Paul Hoffman here. I think the current text is fine.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
