AH is pretty useless and perhaps should be deprecated
Marshall Eubanks
tme at americafree.tv
Sun Nov 15 09:12:19 UTC 2009
On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:
>
> On Nov 14, 2009, at 8:28 PM, David Barak wrote:
>
>> I've seen AH used as a "prove that this hasn't been through a NAT"
>> mechanism. In this context, it's pretty much perfect.
>>
>> However, what I don't understand is where the dislike for it
>> originates: if you don't like it, don't run it. It is useful in
>> certain cases, and it's already in all of the production IPSec
>> implementations. Why the hate?
>
> There are two reasons. First, it's difficult to implement cleanly,
> since it violates layering: you have to know the contents of the
> surrounding IP header to calculate the AH field. Back when I was
> security AD, I had implementors, especially implementors of on-NIC
> IPsec, beg me to get rid of it. Second, it's redundant; if (as I
> believe), ESP with NULL encryption does everything useful that AH
> does, why have two mechanisms?
>
Maybe someone should push through a "IPSEC-lite" in the same way we
are pushing through IGMPv3-lite.
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
Regards
Marshall
>
>
>
>
>
>
>
More information about the NANOG
mailing list