I don't see a compelling argument to deprecate AH and doubt this draft will gain traction. If anything, you could write a draft documenting the problem with NAT compatibility.
Thanks, Acee > On Jan 2, 2026, at 9:18 PM, Brian E Carpenter <[email protected]> > wrote: > >> I was looking for a way to see which RFCs cite RFC-4302 (and RFC-2402). Is >> there one? Google wasn't any help; although, the AI's response to "What >> cites rfc-4302?" is a great imitation of Humphrey Appleby in "Yes Minister". > > https://datatracker.ietf.org/doc/rfc4302/referencedby/ > https://datatracker.ietf.org/doc/rfc2402/referencedby/ > > Regards/Ngā mihi > Brian Carpenter > > On 03-Jan-26 12:40, Robinson, Herbie wrote: >> From: Eliot Lear <[email protected]> >>> On 02.01.2026 13:24, Tom Herbert wrote: >>>> We cannot prove no one is using it, however given the fact NAT breaks >>>> AH and AH would break checksum offload (at least in LInux) the vast >>>> majority of billions of computers couldn't use AH even if they wanted >>>> to. >>> Just an FYI- there are implementations that DO use AH that would not >>> generally >>> be impacted by NAT. These would be used in site-to-site VPNs and with >>> OSPFv3. >>> AH is recommended by at least two vendors for use with OSPFv3 (specifically >>> with IPv6)[1,2] >>> to match the advice given in RFC 5340 [3] that neither been updated nor >>> obsoleted. >>> There are probably other RFCs hiding out there that use IPSEC as a crutch, >>> given that was common practice in the 1990s and early 2000s. If you're >>> going to deprecate AH, >>> you should probably do a little digging to see what we're in for. >>> Finally, I would advise against policy changes based on extrapolations. >>> Eliot >> o The Cisco doc says you can use either AH or ESP. I didn't see anywhere >> where they specifically recommend AH (but I was reading quickly). >> o The Juniper doc linked to gives examples for setting up AH and doesn't >> mention ESP. The page linked to at the bottom implies they also support >> ESP, but it's not real clear. >> Practically every hash and authentication algorithm listed in the vendor >> examples is considered insecure. That doesn't necessarily mean anything, it >> could just be out-of-date documentation. Up-to-date recommendations would >> probably be to use GCM (which has to be ESP and is probably faster than any >> secure hash used alone with the AH protocol). The only thing relevant I see >> there is that configuration changes would be necessary if AH actually got >> removed. >> RFC-5340 refers to RFC-4552 -- The bulk of the IPSec discussion appears >> there. The key phrase I see is "In order to provide authentication to >> OSPFv3, implementations MUST support ESP and MAY support AH." It would >> appears that movement to deprecate AH was already afoot. >> In terms of Tom's document, I think maybe there should be a quick reference >> to RFC-4552. >> I was looking for a way to see which RFCs cite RFC-4302 (and RFC-2402). Is >> there one? Google wasn't any help; although, the AI's response to "What >> cites rfc-4302?" is a great imitation of Humphrey Appleby in "Yes Minister". >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> [email protected] >> List Info: https://mailman3.ietf.org/mailman3/lists/[email protected]/ >> -------------------------------------------------------------------- _______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
