On 03.01.2026 00:21, Tom Herbert wrote:
On Fri, Jan 2, 2026 at 2:02 PM Eliot Lear<[email protected]> wrote:On 02.01.2026 13:24, Tom Herbert wrote: We cannot prove no one is using it, however given the fact NAT breaks AH and AH would break checksum offload (at least in LInux) the vast majority of billions of computers couldn't use AH even if they wanted to. Just an FYI- there are implementations that DO use AH that would not generally be impacted by NAT. These would be used in site-to-site VPNs and with OSPFv3. AH is recommended by at least two vendors for use with OSPFv3 (specifically with IPv6)[1,2] to match the advice given in RFC 5340 [3] that neither been updated nor obsoleted. There are probably other RFCs hiding out there that use IPSEC as a crutch, given that was common practice in the 1990s and early 2000s. If you're going to deprecate AH, you should probably do a little digging to see what we're in for.Hi Eliot, I understand how AH might be used with OSPF, but why would someone use AH for VPN instead of ESP?
Sorry- you're right. Mostly ESP is used for site-to-site, although AH is supported for that purpose (certain jurisdictions).
Eliot
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
