Merike,
And so I reply to myself but got curious and wanted evidence. I found
first references of AH/ESP and NULL in 1996 June IPsec archives.
http://www.sandelman.ottawa.on.ca/ipsec/1996/06/msg00030.html
And while some interesting tidbits, the joggle for my memory banks
was that there was a bunch of discussion on where AH would be used
with ESP and whether ESP only would also be relevant. And while I
couldn't find exact reference to the March 1998 interop testing in
North Carolina that showed issues with AH not traversing NATs I am
fairly certain that was the case and why in practice people starting
using ESP-Null. (it wasn't in the notes for the follow-up IETF IPsec
meeting).
Someone else from that time may also be able to chime in.
The very first IPsec designs called for use of AH plus ESP to offer
authentication, integrity and confidentiality. That dual protocol use
was a significant burden, so
ESP was extended to offer all three services, and AH remained as an
auth/integ but no confid alternative, for various reasons. (One reason,
as you noted, was export controls on encryption.) Later we revised ESP
to incorporate NULL encryption for the reasons I cited earlier; I forgot
about the NAT problem.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
