AH is pretty useless and perhaps should be deprecated

Merike Kaeo kaeo at merike.com
Sun Nov 15 09:23:31 UTC 2009

No - if you read the below pointers carefully it does specify that  
ESP-Null is a MUST for OSPFv3 authentication protocol while AH is a  
MAY.  AH is mostly superfluous and complicates implementations.

Someone on the IPsec mailing list stated that at least two  
implementations he was aware of used ESP-Null for OSPFv3 where one  
did not even have any support for AH.

And I know I'm probably violating some posting etiquette here but to  
answer an earlier comment on same thread where someone asked why the  
hate for AH and what's problem if it's already in all of the  
production IPsec implementations.......I can firsthand state that for  
many IPsec interoperability tests AH is hardly if ever tested.  I  
have been a part of some of them as an interested 3rd party (i.e. non  
vendor) so have seen what gets tested.  AH is always last from what  
I've seen and rarely does anyone ever get to it. [caveat - my  
experience comes from multivendor consortium type tests and not what  
vendors may do privately amongst themselves]

And FWIW.....I've been doing skunskwork IPsec for past 10 years and  
right now there's yet another effort to come up with interoperable  
defaults which is being lead by the aviation industry and is looking  
at IETF defined profiles, NSA related recommendations, NIST  
recommendations and ICSA IPsec consortium recommendations.  There was  
a meeting in Seattle last week and many vendors as well as NIST, DoD  
and other parties participated.  If you are at all running IPsec in a  
major way and care about interoperable defaults and consistent  
terminology, contact me offline and I'll get you connected to the  
group.   Vendors will only 'fix' their implementations if there's  
cohesion from customer base.

- merike

On Nov 14, 2009, at 10:58 PM, Mohacsi Janos wrote:

> On Sat, 14 Nov 2009, Jack Kohn wrote:
>> Hi,
>> Interesting discussion on the utility of Authentication Header  
>> (AH) in
>> IPSecME WG.
>> http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
>> Post explaining that AH even though protecting the source and
>> destination IP addresses is really not good enough.
>> http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
>> What do folks feel? Do they see themselves using AH in the future?
>> IMO, ESP and WESP are good enough and we dont need to support AH any
>> more ..
> They are planning to make OSPFv3 IPSec authentication useless?
> Best Regards,
> 	Janos Mohacsi

More information about the NANOG mailing list