IPsec ESP and AH have a long history with user communities that pre-date any discussion of IKE, VPN, or use cases. It is important not to damage this history by citing comments like "my customers do not use IP or the Internet that way." Fifteen years do not not capture this. I count somewhere around 21 years, but I'm usually off by one or two (which is why I don't write software anymore :-)).
One of the leading, still breathing, IPsec authors said about 20 years ago, "There will never be an ESP NULL encryption option. Over my dead body." Tines change, But legitimate differences exist. No one is asking for a MUST do AH here. In addition to what Ran said about options, there may also be protection AH can provide for multicast that cannot be done otherwise. This has been discussed but to my knowledge never fully resolved. That being said, I think Ran's proposed text mixed what should be in the document with why something should be in the document, and these aspects should be separated. BR, Rich Graveman On Thu, Apr 3, 2014 at 2:41 AM, Yoav Nir <[email protected]> wrote: > > On Apr 3, 2014, at 1:13 AM, Paul Wouters <[email protected]> wrote: > > > On Wed, 2 Apr 2014, RJ Atkinson wrote: > > > >>> The IPsec community generally prefers ESP with NULL encryption over AH. > >>> AH is still required in some protocols and operational environments > >>> when there are security-sensitive options in the IP header, such as > >>> source routing headers. > >> > >> This does not make clear that ESP can't protect the IP options, > >> which is an important-to-document limitation of ESP. > > > > In my 15 years of IPsec work, I've hardly seen requests for AH. When our > > KLIPS stack per default disabled AH support in the kernel module, no one > > complained. > > FWIW nobody complained when we removed AH from our firewall in 2003, but > our product uses IPsec only for VPN. > > I'm also with Paul on this. > > Yoav > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
