On Thu, Jan 01, 2026 at 06:13:17AM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > >> Do you remember why consensus wasn't reached? Unless there's a good > >> reason, I would like to remove support for AH from Linux. > > > > The people thought they had good reasons. > > > Not a good argument - nobody (normally) argues believing his reasons are bad. > The real reasons for AH existence have died long ago - and I’ve been there > when AH was initially created, so yes I do know. > > > > There were various use cases and saving bytes compared to esp-null mattered. > > No valid use cases now, AFAIK - and while saving bytes might make some sense, > I’d say - not in this case.
Some people still use it because it authenticates the constant fields of the outer IP header, this can't be done with ESP. > >> If no one’s using AH then the code is nothing more than a liability and > >> maintenance headache. Granted, we don't need formal deprecation of AH > >> to do that, but I would prefer to keep Linux and IETF on the same page. > > And it’s about time to turn that page over. 😉 I'd be more than happy to get rid of AH in the Linux Kernel, and an official deprecation by the IETF would help a lot. > > > I thought Linux didn’t break APIs. You can ask the Linux IPsec maintainer, > > he is on this list and will read this too. > > My impression was even if the IETF obsoleted it, Linux wouldn't remove it. > > > Let’s hope he’ll jump in. BTW, breaking changes do happen, as I observed > myself when I was working with/on Linux. Breaking changes do happen, but we should not break things intentionally. We need to make sure that all still valid use cases are covered somewhere else, then we can start the deprecation process in the IETF and the Linux Kernel. Steffen _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
