On Apr 3, 2014, at 1:13 AM, Paul Wouters <[email protected]> wrote:
> On Wed, 2 Apr 2014, RJ Atkinson wrote: > >>> The IPsec community generally prefers ESP with NULL encryption over AH. >>> AH is still required in some protocols and operational environments >>> when there are security-sensitive options in the IP header, such as >>> source routing headers. >> >> This does not make clear that ESP can't protect the IP options, >> which is an important-to-document limitation of ESP. > > In my 15 years of IPsec work, I've hardly seen requests for AH. When our > KLIPS stack per default disabled AH support in the kernel module, no one > complained. FWIW nobody complained when we removed AH from our firewall in 2003, but our product uses IPsec only for VPN. I’m also with Paul on this. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
