AH is pretty useless and perhaps should be deprecated

Steven Bellovin smb at cs.columbia.edu
Sun Nov 15 02:58:41 UTC 2009

On Nov 14, 2009, at 8:28 PM, David Barak wrote:

> I've seen AH used as a "prove that this hasn't been through a NAT" mechanism.  In this context, it's pretty much perfect.
> However, what I don't understand is where the dislike for it originates: if you don't like it, don't run it.  It is useful in certain cases, and it's already in all of the production IPSec implementations.  Why the hate?

There are two reasons.  First, it's difficult to implement cleanly, since it violates layering: you have to know the contents of the surrounding IP header to calculate the AH field.  Back when I was security AD, I had implementors, especially implementors of on-NIC IPsec, beg me to get rid of it.  Second, it's redundant; if (as I believe), ESP with NULL encryption does everything useful that AH does, why have two mechanisms?

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

More information about the NANOG mailing list