Manav is right. That was mainly the reason behind making ESP a MUST and AH a SHOULD.
Excerpt from section 3.2 of RFC 4301: IPsec implementations MUST support ESP and MAY support AH. (Support for AH has been downgraded to MAY because experience has shown that there are very few contexts in which ESP cannot provide the requisite security services. Note that ESP can be used to provide only integrity, without confidentiality, making it comparable to AH in most contexts.) - Mukesh -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bhatia, Manav (Manav) Sent: Wednesday, November 03, 2010 9:05 AM To: Acee Lindem; Vishwas Manral Cc: [email protected]; [email protected]; [email protected]; [email protected]; Suresh Melam; RFC Errata System Subject: Re: [OSPF] [Technical Errata Reported] RFC4552 (2599) Hi Acee, That's because 4301 requires all Ipsec implementations to MUST support ESP and MAY support AH. Cheers, Manav > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Acee Lindem > Sent: Wednesday, November 03, 2010 9.20 PM > To: Vishwas Manral > Cc: [email protected]; [email protected]; > [email protected]; [email protected]; > [email protected]; RFC Errata System > Subject: Re: [OSPF] [Technical Errata Reported] RFC4552 (2599) > > Hi Vishwas, > Do you recall the reason for making ESP mandatory and AH > optional for OSPFv3 IPsec? > Thanks, > Acee > On Nov 2, 2010, at 8:05 PM, Vishwas Manral wrote: > > > Hi, > > > > This errata is wrong. ESP provides authentication as well as > > confidentiality, have a look at RFC 4301. > > > > Thanks, > > Vishwas > > > > On Tue, Nov 2, 2010 at 8:53 AM, RFC Errata System > > <[email protected]> wrote: > >> > >> The following errata report has been submitted for RFC4552, > >> "Authentication/Confidentiality for OSPFv3". > >> > >> -------------------------------------- > >> You may review the report below and at: > >> http://www.rfc-editor.org/errata_search.php?rfc=4552&eid=2599 > >> > >> -------------------------------------- > >> Type: Technical > >> Reported by: John W. O'Brien <[email protected]> > >> > >> Section: 3 > >> > >> Original Text > >> ------------- > >> In order to provide authentication to OSPFv3, > implementations MUST support ESP and MAY support AH. > >> > >> > >> Corrected Text > >> -------------- > >> In order to provide authentication to OSPFv3, > implementations MUST support AH and MAY support ESP. > >> > >> Notes > >> ----- > >> Authentication can be provided by an implementation that > supports AH only. > >> > >> Instructions: > >> ------------- > >> This errata is currently posted as "Reported". If necessary, please > >> use "Reply All" to discuss whether it should be verified or > >> rejected. When a decision is reached, the verifying party (IESG) > >> can log in to change the status and edit the report, if necessary. > >> > >> -------------------------------------- > >> RFC4552 (draft-ietf-ospf-ospfv3-auth-08) > >> -------------------------------------- > >> Title : Authentication/Confidentiality for OSPFv3 > >> Publication Date : June 2006 > >> Author(s) : M. Gupta, N. Melam > >> Category : PROPOSED STANDARD > >> Source : Open Shortest Path First IGP > >> Area : Routing > >> Stream : IETF > >> Verifying Party : IESG > >> _______________________________________________ > >> OSPF mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/ospf > >> > > _______________________________________________ > > OSPF mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/ospf > > _______________________________________________ > OSPF mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ospf > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
