On 15 Nov 2011, at 12:46, Scott Fluhrer (sfluhrer) wrote: > > >> -----Original Message----- >> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf >> Of Frederic Detienne >> Sent: Monday, November 14, 2011 8:52 PM >> To: Paul Wouters >> Cc: ipsec@ietf.org; Yoav Nir; Vilhelm Jutvik >> Subject: Re: [IPsec] Does ESP provide all functionality offered by AH? >> >> >> Can you please explain your point about transport mode being bad ? We >> do not see any problem with it in real world deployments. It is quite >> the opposite actually. >> >> I agree that AH is a hindrance, especially that it protects the non- >> mutable fields of the IP header and therefor prevents NAT and ToS re- >> marking. > > One minor correction: the DSCP field is mutable, and hence ToS remarking > is not a problem.
you are right. Thanks for the correction! :-) fred >> I.e. the main difference between AH and ESP_NULL is really >> this outer IP header protection which is detrimental in most practical >> networks. >> > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec