AH or ESP

Merike Kaeo kaeo at merike.com
Tue May 26 19:23:52 CDT 2009


I agree as well that ESP-Null the way to go for integrity.  From  
operational perspective if you are supporting both v4 and v6 (and you  
will) then having different protocols will be a nightmare.  Common  
denominator is ESP-Null.

Realistically for IPsec, unless you have the scalable credential  
issue resolved and easier configs from vendors, the operational time  
sync will have many looking elsewhere to accomplish what's needed in  
the name of security. (total bummer IMHO).

- merike

On May 26, 2009, at 4:35 PM, Jack Kohn wrote:

>>
>>
>> The delusion that network operators can successfully use unhelpful
>> protocols and/or smoke and mirrors to force idealist network  
>> design on
>> others needs to end.  People use new protocols because they are  
>> better.
>> If  the benefit of moving to a new protocol does not outweigh the  
>> pain
>> of moving to it, people don't use it.  That's why the OSI  
>> protocols did
>> not kill IP like they were supposed to in the 90s, it is why the  
>> largely
>> forgotten mandated move from Windows to secure OSes (ie, Unix) for  
>> all
>> government employees never happened, and it is why IPv6 is  
>> sputtering.
>> If people want to use NAT, they are going to use NAT.  They may stop
>> using it if the widespread adoption of peer to peer protocols  
>> means they
>> are missing out on things other people are doing.  They are not  
>> going to
>> stop using NAT to use a protocol maliciously designed to break it;  
>> they
>> will just wait, patiently and nearly always successfully, for  
>> somebody
>> to come out with a version that has no such malice.  They are  
>> certainly
>> not going to stop using NAT because somebody tells them they  
>> should use
>> a security protocol that does not secure anything worth securing.
>>
>> BitTorrent is a better anti-NAT tool than AH ever will be.  More  
>> carrot,
>> less stick.
>>
>
> I agree. Folks are going to use ESP-NULL if they really want Integrity
> Protection ..
>
>
>> -Dave
>>
>>





More information about the NANOG mailing list