AH is pretty useless and perhaps should be deprecated

Joel Jaeggli joelja at bogus.com
Mon Nov 16 00:17:29 CST 2009


Bill Fehring wrote:
> On Sun, Nov 15, 2009 at 20:48, Joel Jaeggli <joelja at bogus.com> wrote:
>> Owen DeLong wrote:
>>> I've never seen anyone use AH vs. ESP.
>> OSPFv3?
> 
> Maybe I'm asking a dumb question, but why would one prefer AH over ESP
> for OSPFv3?

Header protection... still doesn't provide replay protection, your
mileage may vary

http://tools.ietf.org/html/draft-ietf-opsec-routing-protocols-crypto-issues-02

> RFC4552:
> "In order to provide authentication to OSPFv3, implementations MUST
> support ESP and MAY support AH."
> 
> -Bill
> 




More information about the NANOG mailing list