AH is pretty useless and perhaps should be deprecated

Marshall Eubanks tme at americafree.tv
Sun Nov 15 03:12:19 CST 2009


On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:

>
> On Nov 14, 2009, at 8:28 PM, David Barak wrote:
>
>> I've seen AH used as a "prove that this hasn't been through a NAT"  
>> mechanism.  In this context, it's pretty much perfect.
>>
>> However, what I don't understand is where the dislike for it  
>> originates: if you don't like it, don't run it.  It is useful in  
>> certain cases, and it's already in all of the production IPSec  
>> implementations.  Why the hate?
>
> There are two reasons.  First, it's difficult to implement cleanly,  
> since it violates layering: you have to know the contents of the  
> surrounding IP header to calculate the AH field.  Back when I was  
> security AD, I had implementors, especially implementors of on-NIC  
> IPsec, beg me to get rid of it.  Second, it's redundant; if (as I  
> believe), ESP with NULL encryption does everything useful that AH  
> does, why have two mechanisms?
>

Maybe someone should push through a "IPSEC-lite" in the same way we  
are pushing through IGMPv3-lite.

>
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb

Regards
Marshall

>
>
>
>
>
>
>





More information about the NANOG mailing list