AH is pretty useless and perhaps should be deprecated

Jack Kohn kohn.jack at gmail.com
Tue Nov 17 00:23:39 UTC 2009


I read the draft and its very interesting. There were some issues that
i had never imagined could exist and it does a wonderful job of
brining them forth.

However, i still dont understand why AH would be preferred over
ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying
the OSPF packets. One could also do these things with AH.

Am i missing something?

Jack

On Mon, Nov 16, 2009 at 11:47 AM, Joel Jaeggli <joelja at bogus.com> wrote:
>
>
> Bill Fehring wrote:
>> On Sun, Nov 15, 2009 at 20:48, Joel Jaeggli <joelja at bogus.com> wrote:
>>> Owen DeLong wrote:
>>>> I've never seen anyone use AH vs. ESP.
>>> OSPFv3?
>>
>> Maybe I'm asking a dumb question, but why would one prefer AH over ESP
>> for OSPFv3?
>
> Header protection... still doesn't provide replay protection, your
> mileage may vary
>
> http://tools.ietf.org/html/draft-ietf-opsec-routing-protocols-crypto-issues-02
>
>> RFC4552:
>> "In order to provide authentication to OSPFv3, implementations MUST
>> support ESP and MAY support AH."
>>
>> -Bill
>>
>
>




More information about the NANOG mailing list