On Sun, 13 Nov 2011, Vilhelm Jutvik wrote:
From page 62, RFC 4301:
...
4. Apply AH or ESP processing as specified, using the SAD entry
selected in step 3a above. Then match the packet against the
inbound selectors identified by the SAD entry to verify that the
received packet is appropriate for the SA via which it was
received.
...
This, if true, would imply that all functionality offered by AH could
be provided by ESP. Is this true?
I agree. The people who prefer transport mode usually mutter something about
a few saved bytes and how that is better for the MTU. But tunnel mode works
much better through NAT then transport mode, which needs ackward hacks that
are all vendor-specific. ESP-null is basically the equivalent of AH. It has
been about a decade now that Ferguson and Scheier said to get rid of AH and
transport mode altogether - as a result of which FreeS/WAN 2.05 was released
that removed support for it.
See further: http://www.schneier.com/paper-ipsec.pdf
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
