> All of the standards I've seen that explicitly define how > IPsec is to > be used for authentication (including RFC 4552 - Authentication/ > Confidentiality for OSPFv3) say that for authentication > ESP-Null MUST > be used and AH MAY.
Yes, this is correct. The latest PIM-SM authentication document (http://tools.ietf.org/html/draft-ietf-pim-sm-linklocal-08) uses IPSec to authenticate link-local messages in PIM-SM. It too says that ESP is a MUST while use of AH is optional. > > Which RFCs specify AH specifically as a MUST for authentication/ > integrity? I am not aware of any that do that. > > Now on the flip side, in practical implementations, most vendors I > know of started off with AH being used for OSPFv3 and I doubt in > practice people are using ESP-Null. Would love to be wrong here :) I don't think this is really true. I know of at least two major vendors that use ESP-NULL and one of them doesn't even support AH. Cheers, Manav > > - merike > > On Nov 11, 2009, at 7:28 PM, Stephen Kent wrote: > > > At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote: > >> Steve, > >> > >>> I would have no problem deprecating AH in the context of > the IPsec > >>> architecture document, if others agree. It is less > efficient than > >>> ESP-NULL. However, other WGs have cited AH as the IPsec > protocol of > >>> choice for integrity/authentication in their > environments, so there > >>> will be a need to coordinate with them, and it may be > >>> unacceptable to > >>> kill AH as a standalone protocol for them. > >> > >> I agree that it is a trifle too early to start deprecating AH, > >> though I wouldn't mind doing so. OTOH, don't most WGs already > >> suggest AH as a MAY, and ESP-NULL as a MUST? > > > > Not always. For example, I believe that OSPF security makes use of > > AH, outside the IPsec context. > > > >> In any case what should be the stand for the newer work > that comes > >> out of these WGs. Should they spell out support for AH, or should > >> they just be talking about ESP (or ESP-NULL or WESP)? > > > > I'd recommend ESP-NULL, unless the context on which the operate > > might require inspection by an intermediate system. > > > >> If we want to deprecate AH, or at least discourage its use in the > >> context of the IPSec architecture in the near future then > >> shouldn't we be working on this? > > > > Part of the problem is that some WGs want to make use of IPsec > > protocols outside of the IPsec architecture. > > > >> > I am not comfortable with the notion of ESP with WESP. > WESP adds > >> > more per-packet overhead than ESP, and some users are very > >> sensitive > >>> to this aspect of IPsec use. Also, other WG rely on ESP and we > >>> would > >>> need to convince them that the packet inspection features of WESP > >>> merit making changes to their standards, which might be a tough > >>> sell. > >> > >> I agree. However, we should start socializing WESP in > other WGs so > >> that folks are at least aware of it. > > > > Agree. > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
