On 31/12/2025 18:16, Tom Herbert wrote:
On Wed, Dec 31, 2025 at 1:12 PM Brian E Carpenter <[email protected]> wrote:Hi, I'm no expert, but I think the Security Area might have an opinion on this. Note that according to RFC 8221: "The last method that can be used is ESP+AH. This method is NOT RECOMMENDED." "ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST to enable the use of ESP with only authentication, which is preferred over AH due to NAT traversal." "As mentioned by [RFC7321], it is NOT RECOMMENDED to use ESP with NULL authentication (with non- authenticated encryption) in conjunction with AH; some configurations of this combination of services have been shown to be insecure [PD10]." That seems pretty close to deprecation already.HI Brian, Indeed. I'm looking forward to completing the formal deprecation and removing the code from the OS (linux at least) :-).
FWIW, if you're into that, you may start by disabling the feature by default and/or implementing a sysctl to do so.
Thanks, -- Fernando Gont e-mail: [email protected] PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01 _______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
