Hi, I'm no expert, but I think the Security Area might have an opinion on this.
Note that according to RFC 8221: "The last method that can be used is ESP+AH. This method is NOT RECOMMENDED." "ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST to enable the use of ESP with only authentication, which is preferred over AH due to NAT traversal." "As mentioned by [RFC7321], it is NOT RECOMMENDED to use ESP with NULL authentication (with non- authenticated encryption) in conjunction with AH; some configurations of this combination of services have been shown to be insecure [PD10]." That seems pretty close to deprecation already. Regards/Ngā mihi Brian Carpenter On 01-Jan-26 09:01, Tom Herbert wrote:
Happy New Year! I've posted a new draft that would formally deprecate the IP Authentication Header. Any comments are appreciated. Thanks, Tom ---------- Forwarded message --------- From: <[email protected]> Date: Wed, Dec 31, 2025 at 11:58 AM Subject: New Version Notification for draft-herbert-deprecate-auth-header-00.txt To: Tom Herbert <[email protected]> A new version of Internet-Draft draft-herbert-deprecate-auth-header-00.txt has been successfully submitted by Tom Herbert and posted to the IETF repository. Name: draft-herbert-deprecate-auth-header Revision: 00 Title: Deprecate IP Authentication Header Date: 2025-12-31 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/archive/id/draft-herbert-deprecate-auth-header-00.txt Status: https://datatracker.ietf.org/doc/draft-herbert-deprecate-auth-header/ HTMLized: https://datatracker.ietf.org/doc/html/draft-herbert-deprecate-auth-header Abstract: This document deprecates the IP Authentication Header. The motivations are that authentication without confidentiality is not compelling, the Authentication Header is incompatible with some commonly deployed protocols, and there is likely no deployment of Authentication Header. The IETF Secretariat _______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
