Hello, On Mon, January 2, 2012 7:43 am, Venkatesh Sriram wrote: > If ESP and AH continue to co-exist then I see the following happening: > (i) standard for feature foo1 using ESP-NULL + SW effort + QA effort + > interop effort(ii) standard for feature foo1 using AH + SW effort + QA > effort + interop effort(iii) standard for feature foo2 using ESP-NULL > + SW effort + QA effort + interop effort(iv) standard for feature foo2 > using AH + SW effort + QA effort + interop effort..(iii) standard for > feature foo'n' using ESP-NULL + SW effort + QA effort + interop > effort(iv) standard for feature foo'n' using AH + SW effort + QA > effort + interop effort
If much of the above is not duplicative then you have bigger problems that AH. > Now, i am willing to live with this if the security offered by AH and > ESP-NULL is significantly different. I dont see why we should have > this complication if ESP-NULL can do everything that AH has to offer. Ran has provided a good list of things that AH can do that ESP-NULL cannot. > Why should the operators learn managing ESP and AH when both do the > same? > RFC 4301, by declaring ESP as a MUST and AH as a MAY has already set > the context. I dont see why vendors and everybody else in the food > chain should spend cycles on AH, if its not bringing anything > substantial on the table? If it's a MAY then don't spend any cycles on it. Implementations that support it MUST be prepared to interoperate with implementations that do not. > I dont think the draft in question says that AH is bad and should be > deprecated. It merely says that WGs should be circumspect when > mandating AH since its likely that most people are using ESP-NULL and > you dont want to unnecessarily add complexity in people's lives for no > good reason. If you want to direct WGs to be circumspect when specifying AH then why don't you go sit in those WGs and instruct them in what they should be doing? Or at the very least comment during LC. Honestly, if a WG is not paying attention to RFC 4301 then what makes you think they're gonna pay attention to a random individual submission? I don't have any particular love for AH but this effort is really lacking in one thing: a problem to solve. On the one hand, we're being told that the effort is necessary because WGs developing a "standard for protocol fool" need to be instructed on how to obtain integrity protection but we're also being told that discouraging AH is OK because no one (in NANOG) is using it and it's a MAY anyway. These seem to be somewhat contradictory to me-- either no one's using it and we have a solution in search of a problem; or, someone's using it and it would probably be a problem to restrict its use in the future. I detect the strong arm of a weak product management department at work here. If the engineers are complaining about implementing a protocol that isn't being used then grow a backbone and tell your customers that they're not gonna get support for a protocol they don't use. regards, Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec