On Fri, Jan 2, 2026 at 2:02 PM Eliot Lear <[email protected]> wrote: > > > On 02.01.2026 13:24, Tom Herbert wrote: > > We cannot prove no one is using it, however given the fact NAT breaks > AH and AH would break checksum offload (at least in LInux) the vast > majority of billions of computers couldn't use AH even if they wanted > to. > > Just an FYI- there are implementations that DO use AH that would not > generally be impacted by NAT. These would be used in site-to-site VPNs and > with OSPFv3. AH is recommended by at least two vendors for use with OSPFv3 > (specifically with IPv6)[1,2] to match the advice given in RFC 5340 [3] that > neither been updated nor obsoleted. There are probably other RFCs hiding out > there that use IPSEC as a crutch, given that was common practice in the 1990s > and early 2000s. If you're going to deprecate AH, you should probably do a > little digging to see what we're in for.
Hi Eliot, I understand how AH might be used with OSPF, but why would someone use AH for VPN instead of ESP? Tom > > Finally, I would advise against policy changes based on extrapolations. > > Eliot > > [1] > https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ip-routing/b-ip-routing/m_ip6-route-ospfv3-auth-ipsec.html > [2] https://supportportal.juniper.net/s/article/OSPFv3-authentication > [3] https://datatracker.ietf.org/doc/rfc5340/ > > _______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
