AH is pretty useless and perhaps should be deprecated
kaeo at merike.com
Sun Nov 15 09:23:31 UTC 2009
No - if you read the below pointers carefully it does specify that
ESP-Null is a MUST for OSPFv3 authentication protocol while AH is a
MAY. AH is mostly superfluous and complicates implementations.
Someone on the IPsec mailing list stated that at least two
implementations he was aware of used ESP-Null for OSPFv3 where one
did not even have any support for AH.
And I know I'm probably violating some posting etiquette here but to
answer an earlier comment on same thread where someone asked why the
hate for AH and what's problem if it's already in all of the
production IPsec implementations.......I can firsthand state that for
many IPsec interoperability tests AH is hardly if ever tested. I
have been a part of some of them as an interested 3rd party (i.e. non
vendor) so have seen what gets tested. AH is always last from what
I've seen and rarely does anyone ever get to it. [caveat - my
experience comes from multivendor consortium type tests and not what
vendors may do privately amongst themselves]
And FWIW.....I've been doing skunskwork IPsec for past 10 years and
right now there's yet another effort to come up with interoperable
defaults which is being lead by the aviation industry and is looking
at IETF defined profiles, NSA related recommendations, NIST
recommendations and ICSA IPsec consortium recommendations. There was
a meeting in Seattle last week and many vendors as well as NIST, DoD
and other parties participated. If you are at all running IPsec in a
major way and care about interoperable defaults and consistent
terminology, contact me offline and I'll get you connected to the
group. Vendors will only 'fix' their implementations if there's
cohesion from customer base.
On Nov 14, 2009, at 10:58 PM, Mohacsi Janos wrote:
> On Sat, 14 Nov 2009, Jack Kohn wrote:
>> Interesting discussion on the utility of Authentication Header
>> (AH) in
>> IPSecME WG.
>> Post explaining that AH even though protecting the source and
>> destination IP addresses is really not good enough.
>> What do folks feel? Do they see themselves using AH in the future?
>> IMO, ESP and WESP are good enough and we dont need to support AH any
>> more ..
> They are planning to make OSPFv3 IPSec authentication useless?
> Best Regards,
> Janos Mohacsi
More information about the NANOG