On Wed, Dec 31, 2025 at 1:12 PM Brian E Carpenter <[email protected]> wrote: > > Hi, > > I'm no expert, but I think the Security Area might have an opinion on this. > > Note that according to RFC 8221: > > "The last method that can be used is ESP+AH. This method is NOT > RECOMMENDED." > > "ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST to > enable the use of ESP with only authentication, which is preferred > over AH due to NAT traversal." > > "As mentioned by [RFC7321], it is NOT > RECOMMENDED to use ESP with NULL authentication (with non- > authenticated encryption) in conjunction with AH; some configurations > of this combination of services have been shown to be insecure > [PD10]." > > That seems pretty close to deprecation already.
HI Brian, Indeed. I'm looking forward to completing the formal deprecation and removing the code from the OS (linux at least) :-). Tom > > Regards/Ngā mihi > Brian Carpenter > > On 01-Jan-26 09:01, Tom Herbert wrote: > > Happy New Year! > > > > I've posted a new draft that would formally deprecate the IP > > Authentication Header. Any comments are appreciated. > > > > Thanks, > > Tom > > > > > > ---------- Forwarded message --------- > > From: <[email protected]> > > Date: Wed, Dec 31, 2025 at 11:58 AM > > Subject: New Version Notification for > > draft-herbert-deprecate-auth-header-00.txt > > To: Tom Herbert <[email protected]> > > > > > > A new version of Internet-Draft draft-herbert-deprecate-auth-header-00.txt > > has > > been successfully submitted by Tom Herbert and posted to the > > IETF repository. > > > > Name: draft-herbert-deprecate-auth-header > > Revision: 00 > > Title: Deprecate IP Authentication Header > > Date: 2025-12-31 > > Group: Individual Submission > > Pages: 14 > > URL: > > https://www.ietf.org/archive/id/draft-herbert-deprecate-auth-header-00.txt > > Status: > > https://datatracker.ietf.org/doc/draft-herbert-deprecate-auth-header/ > > HTMLized: > > https://datatracker.ietf.org/doc/html/draft-herbert-deprecate-auth-header > > > > > > Abstract: > > > > This document deprecates the IP Authentication Header. The > > motivations are that authentication without confidentiality is not > > compelling, the Authentication Header is incompatible with some > > commonly deployed protocols, and there is likely no deployment of > > Authentication Header. > > > > > > > > The IETF Secretariat > > > > _______________________________________________ > > Int-area mailing list -- [email protected] > > To unsubscribe send an email to [email protected] _______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
