On Tue, 14 Mar 2023, Michael Richardson wrote: [speaking as individual]
AH has essentially no deployment at this point, and so this is rather a good plan.
We have been trying to kill it in favour of ESP-NULL, so I'm not sure I would want to encourage new deployment of it at this point. I think we are getting to the point where stacks might not even code it in anymore. Sure, Linux will have it for another decade or two but .... https://www.rfc-editor.org/rfc/rfc8221 ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST to enable the use of ESP with only authentication, which is preferred over AH due to NAT traversal.
The concerns that I have about this document is that the IPsec/AH parts of it are rather simple. The IPv6 header insertion and MTU parts of this document are, I think very controversial given the SR6 experience: SR6 was said to be always within an AS, and that any leaks would be a bug. But, the ENTIRE point of RISAV is to communicate between ASs.
At which point, why not encrypt it too? Modifying an AH stack also takes time. How long will it take before this would be generally available? Is it really worth the wait? Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
