Paul,
On Wed, 26 Feb 2014, Valery Smyslov wrote:
It is for systems that don't implement AH. We should probably say
this explicitly in section 3.
I don't think it is limited for those systems only.
You may implement AH, but yon cannot use it
everywhere, as it is not compatible with NATs.
And ESP-NULL with Auth is the only substitute there.
So, it must be MUST for any system.
Why did we not kill AH all together when Schneier and Ferguson told us
so? :P
But you are right. Perhaps some text along the line of:
perhaps because they were wrong.
ESP-NULL offers better performance than AH and so it is desirable in
most cases. But, AH has been specified by some protocols and we don't
want to undermine their choice by killing it.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
