At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:
Steve,
I would have no problem deprecating AH in the context of the IPsec
architecture document, if others agree. It is less efficient than
ESP-NULL. However, other WGs have cited AH as the IPsec protocol of
choice for integrity/authentication in their environments, so there
will be a need to coordinate with them, and it may be unacceptable to
kill AH as a standalone protocol for them.
I agree that it is a trifle too early to start deprecating AH,
though I wouldn't mind doing so. OTOH, don't most WGs already
suggest AH as a MAY, and ESP-NULL as a MUST?
Not always. For example, I believe that OSPF security makes use of
AH, outside the IPsec context.
In any case what should be the stand for the newer work that comes
out of these WGs. Should they spell out support for AH, or should
they just be talking about ESP (or ESP-NULL or WESP)?
I'd recommend ESP-NULL, unless the context on which the operate might
require inspection by an intermediate system.
If we want to deprecate AH, or at least discourage its use in the
context of the IPSec architecture in the near future then shouldn't
we be working on this?
Part of the problem is that some WGs want to make use of IPsec
protocols outside of the IPsec architecture.
> I am not comfortable with the notion of ESP with WESP. WESP adds
> more per-packet overhead than ESP, and some users are very sensitive
to this aspect of IPsec use. Also, other WG rely on ESP and we would
need to convince them that the packet inspection features of WESP
merit making changes to their standards, which might be a tough sell.
I agree. However, we should start socializing WESP in other WGs so
that folks are at least aware of it.
Agree.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
