Hello, Ben, On Wed, 2021-07-07 at 19:00 -0700, Benjamin Kaduk wrote: > On Wed, Jun 30, 2021 at 10:03:48PM -0700, Erik Kline via Datatracker > wrote: > > [S4.3.9.4] [comment] > > > > * It seems fairly clear from RFC 5570 Security Considerations that > > a > > CALIPSO option is best protected with an AH, and in such cases > > stripping > > the CALIPSO option would cause the packet to fail validation at > > the > > (suitably configured) destination. > > > > Similarly, it might be good to note in S4.3.9.5 that if an AH is > > present > > presumably the advice from S3.4.5.5 applies. > > Probably not very relevant here, but the current IPSECME advice is to > use > ESP with null encryption rather than AH.
A pointer might be worth including. What document and section should we be referencing here? Thanks! Regards, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
