On Fri, Jan 2, 2026 at 8:50 AM Jun Hu (Nokia) <jun.hu= [email protected]> wrote:
> I personally agree to get rid of AH; however if we consider the impact, it > is more than just IPsec, there are some non-ipsec protocols today still > allow to use AH (along with ESP) like OSPFv3 (RFC4552), MIPv6 (RFC6275), > there might other others > Hi Jun, That's a good point. Do you know of anyone using AH with routing protocols? If someone is using it is there any reason they could use ESP or ESP-NULL instead? Tom > > *From:* Tom Herbert <[email protected]> > *Sent:* Friday, January 2, 2026 8:16 AM > *To:* Steffen Klassert <[email protected]> > *Cc:* Blumenthal, Uri - 0553 - MITLL <[email protected]>; Paul Wouters < > [email protected]>; [email protected] > *Subject:* [IPsec] Re: [EXT] Re: Fwd: New Version Notification for > draft-herbert-deprecate-auth-header-00.txt > > > > You don't often get email from [email protected]. Learn > why this is important <https://aka.ms/LearnAboutSenderIdentification> > > > > > > *CAUTION:* This is an external email. Please be very careful when > clicking links or opening attachments. See the URL nok.it/ext for > additional information. > > > > > > On Fri, Jan 2, 2026, 4:25 AM Steffen Klassert < > [email protected]> wrote: > > On Thu, Jan 01, 2026 at 06:13:17AM +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > >> Do you remember why consensus wasn't reached? Unless there's a good > > >> reason, I would like to remove support for AH from Linux. > > > > > > The people thought they had good reasons. > > > > > > Not a good argument - nobody (normally) argues believing his reasons are > bad. The real reasons for AH existence have died long ago - and I’ve been > there when AH was initially created, so yes I do know. > > > > > > > There were various use cases and saving bytes compared to esp-null > mattered. > > > > No valid use cases now, AFAIK - and while saving bytes might make some > sense, I’d say - not in this case. > > Some people still use it because it authenticates the constant > fields of the outer IP header, this can't be done with ESP. > > > > Hi Steffen, > > > > Is this a fact that people are using AH or a conjecture that people might > be using it? :-) > > > > Also, I'm not sure there's really any value in authenticating the constant > fields of IP header. The constant fields are just addresses, version, > length (IHL and total), next protocol. With the exception of the addresses, > any modifications to the other fields inflight would most likely result in > dropped packets especially if ESP or Transport security is also in use. The > addresses of course are routinely changed in NAT, so use of AH could > prevent the use of NAT in the path. That point was brought up on 6man where > AH could be used to discourage the use of NAT with IPv6. I'm doubtful > anyone is actually using AH for that purpose. > > > > > > >> If no one’s using AH then the code is nothing more than a liability > and > > >> maintenance headache. Granted, we don't need formal deprecation of AH > > >> to do that, but I would prefer to keep Linux and IETF on the same > page. > > > > And it’s about time to turn that page over. 😉 > > I'd be more than happy to get rid of AH in the Linux Kernel, and an > official deprecation by the IETF would help a lot. > > > > Sounds good. I believe the first step will be to disable compilation of AH > by default in Kconfig with a nice warning that AH is being deprecated. I'll > post a patch shortly. > > > > > > > > > I thought Linux didn’t break APIs. You can ask the Linux IPsec > maintainer, > > > he is on this list and will read this too. > > > My impression was even if the IETF obsoleted it, Linux wouldn't remove > it. > > > > > > Let’s hope he’ll jump in. BTW, breaking changes do happen, as I observed > myself when I was working with/on Linux. > > Breaking changes do happen, but we should not break things > intentionally. We need to make sure that all still valid > use cases are covered somewhere else, then we can start > the deprecation process in the IETF and the Linux Kernel. > > > > AFAICT, ESP or transport layer security adequately covers all > practical use cases. > > > > Tom > > > > > Steffen > >
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
