On Wed, 26 Feb 2014, Valery Smyslov wrote:
It is for systems that don't implement AH. We should probably say this
explicitly in section 3.
I don't think it is limited for those systems only.
You may implement AH, but yon cannot use it
everywhere, as it is not compatible with NATs.
And ESP-NULL with Auth is the only substitute there.
So, it must be MUST for any system.
Why did we not kill AH all together when Schneier and Ferguson told us so? :P
But you are right. Perhaps some text along the line of:
ESP-NULL offers the same protection as AH, but is more widely
accepted and functional compared to AH. AH does not work through
NATs and is not implemented in every IPsec stack. AH requires
firewall rules different from ESP causing it to get accidentally
filtered. ESP-NULL is also used in performance testing as
a benchmark against ESP encryption algorithms. ESP-NULL should
never be automatically selected as part of IKE unless explicitely
configured as the only ESP encryption algorithm.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
