On Wed, Jul 7, 2021 at 7:00 PM Benjamin Kaduk <[email protected]> wrote: > On Wed, Jun 30, 2021 at 10:03:48PM -0700, Erik Kline via Datatracker wrote: > > [S4.3.9.4] [comment] > > > > * It seems fairly clear from RFC 5570 Security Considerations that a > > CALIPSO option is best protected with an AH, and in such cases > stripping > > the CALIPSO option would cause the packet to fail validation at the > > (suitably configured) destination. > > > > Similarly, it might be good to note in S4.3.9.5 that if an AH is > present > > presumably the advice from S3.4.5.5 applies. > > Probably not very relevant here, but the current IPSECME advice is to use > ESP with null encryption rather than AH. >
My (mis)understanding was that this was mostly because of NAT/NAPT. Is there some benefit of this recommendation that applies when NAT/NAPT doesn't apply (/me looks at IPv6).
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
