AH is pretty useless and perhaps should be deprecated

Steven Bellovin smb at cs.columbia.edu
Sat Nov 14 17:12:24 CST 2009


On Nov 14, 2009, at 2:46 PM, Adam Stasiniewicz wrote:

> I have see AH used in network segmentation.  I.e. systems is group A are
> configured with rules to require all communication be over AH.  Systems in
> group B (which have no AH and no appropriate certificates configured) can't
> chat with group A.  The benefit of using AH vs. ESP in this case is twofold.
> First, AH is less CPU intensive, and when one considers enabling it on
> all/many workstations and servers in a company, that can add up to a lot of
> CPU cycles.  Second, since AH only signs, not encrypts, products like
> network analyzers, IDS/IPS, etc can still perform their functions.

ESP with NULL encryption only authenticates (not "signs") also.  However, one can't tell in a context-free way that NULL is in use.  If you're using it, though, I can't see how AH could be less expensive.

AH has been controversial for years.  I've been asking folks to delete it since 1995.  I've never succeeded...  At least RFC 4301 deprecated it to a MAY instead of a MUST for IPsec implementors.
> 
> Outside of some manual deployments, the only commercial product I know that
> offers AH based network segmentation is Microsoft's NAP:
> http://www.microsoft.com/nap 
> 
> Regards,
> Adam Stasiniewicz
> 
> -----Original Message-----
> From: Jack Kohn [mailto:kohn.jack at gmail.com] 
> Sent: Friday, November 13, 2009 6:23 PM
> To: nanog at nanog.org
> Subject: AH is pretty useless and perhaps should be deprecated
> 
> Hi,
> 
> Interesting discussion on the utility of Authentication Header (AH) in
> IPSecME WG.
> 
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
> 
> Post explaining that AH even though protecting the source and
> destination IP addresses is really not good enough.
> 
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
> 
> What do folks feel? Do they see themselves using AH in the future?
> IMO, ESP and WESP are good enough and we dont need to support AH any
> more ..
> 
> Jack
> 
> 
> 


		--Steve Bellovin, http://www.cs.columbia.edu/~smb









More information about the NANOG mailing list