Does anybody out there use Authentication Header (AH)?

Glen Kent glen.kent at
Mon Jan 2 00:29:22 UTC 2012

(Sigh) Here we go again.

AH is a liability and a baggage that we're carrying over our weary
shoulders. IMO we should have gotten rid of it long time back. There
have been enough emails on multiple forums over this and google is
probably your friend here. The only reason(s) we have AH is because
(i) circa early 1990s, US had export restrictions on encryption keys >
40 bits and ESP thus had restrictions on how it could be used. AH
otoh, only did authentication, for which the rules were  much more
relaxed AND (ii) people earlier naively believed that AH protected the
IP header and ESP couldnt.

AH is a mess if you have NATs deployed, as AH breaks NAT. IPv6
proponents thus saw AH as a tool to push IPv6, since they hated NATs
(till someone discovered IPv6 NAT-PT, but thats a different story).

Most people think ESP as "encryption" - they forget that it can be
used for data integrity verification without encryption as well.


On Mon, Jan 2, 2012 at 5:42 AM, John Smith <jsmith4112003 at> wrote:
> Hi,
> I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL.
> Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them?
> Regards,
> John

More information about the NANOG mailing list