On 04 Jan 2012, at 09:18 , Bhatia, Manav (Manav) wrote: >> There is no evidence of any recent change either to the operational >> circumstances or to the available alternatives. So no update >> is appropriate at this time. > > One major recent change is the publication of WESP [RFC 5840] > and the standard for using Heuristics for detecting ESP-NULL packets > [RFC 5879]. > > This takes away one major reason why folks wanted to use AH - > that of being able to deep inspect packets.
Unfortunately, that is wishful thinking, rather than reality. Neither WESP nor the other document provide a 100% reliable way to parse-into/parse-past/deep-inspect ESP packets. One might wish otherwise, but the reality is that there is no 100% reliable method today. Separately, as I've noted before, that isn't the only reason that folks use AH today in real-world deployments. > Even the NIST guidelines for IPv6 deployment says that the main argument in > favor of AH is the ability to inspect packets. With WESP even that goes away. Since WESP is not 100% reliable, WESP does not affect that reason to retain AH. Yours, Ran _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
