On Wed, Jun 30, 2021 at 10:03:48PM -0700, Erik Kline via Datatracker wrote: > [S4.3.9.4] [comment] > > * It seems fairly clear from RFC 5570 Security Considerations that a > CALIPSO option is best protected with an AH, and in such cases stripping > the CALIPSO option would cause the packet to fail validation at the > (suitably configured) destination. > > Similarly, it might be good to note in S4.3.9.5 that if an AH is present > presumably the advice from S3.4.5.5 applies.
Probably not very relevant here, but the current IPSECME advice is to use ESP with null encryption rather than AH. -Ben _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
