On Fri, Jan 2, 2026, 4:25 AM Steffen Klassert <[email protected]> wrote:
> On Thu, Jan 01, 2026 at 06:13:17AM +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > >> Do you remember why consensus wasn't reached? Unless there's a good > > >> reason, I would like to remove support for AH from Linux. > > > > > > The people thought they had good reasons. > > > > > > Not a good argument - nobody (normally) argues believing his reasons are > bad. The real reasons for AH existence have died long ago - and I’ve been > there when AH was initially created, so yes I do know. > > > > > > > There were various use cases and saving bytes compared to esp-null > mattered. > > > > No valid use cases now, AFAIK - and while saving bytes might make some > sense, I’d say - not in this case. > > Some people still use it because it authenticates the constant > fields of the outer IP header, this can't be done with ESP. > Hi Steffen, Is this a fact that people are using AH or a conjecture that people might be using it? :-) Also, I'm not sure there's really any value in authenticating the constant fields of IP header. The constant fields are just addresses, version, length (IHL and total), next protocol. With the exception of the addresses, any modifications to the other fields inflight would most likely result in dropped packets especially if ESP or Transport security is also in use. The addresses of course are routinely changed in NAT, so use of AH could prevent the use of NAT in the path. That point was brought up on 6man where AH could be used to discourage the use of NAT with IPv6. I'm doubtful anyone is actually using AH for that purpose. > > >> If no one’s using AH then the code is nothing more than a liability > and > > >> maintenance headache. Granted, we don't need formal deprecation of AH > > >> to do that, but I would prefer to keep Linux and IETF on the same > page. > > > > And it’s about time to turn that page over. 😉 > > I'd be more than happy to get rid of AH in the Linux Kernel, and an > official deprecation by the IETF would help a lot. > Sounds good. I believe the first step will be to disable compilation of AH by default in Kconfig with a nice warning that AH is being deprecated. I'll post a patch shortly. > > > > > I thought Linux didn’t break APIs. You can ask the Linux IPsec > maintainer, > > > he is on this list and will read this too. > > > My impression was even if the IETF obsoleted it, Linux wouldn't remove > it. > > > > > > Let’s hope he’ll jump in. BTW, breaking changes do happen, as I observed > myself when I was working with/on Linux. > > Breaking changes do happen, but we should not break things > intentionally. We need to make sure that all still valid > use cases are covered somewhere else, then we can start > the deprecation process in the IETF and the Linux Kernel. > AFAICT, ESP or transport layer security adequately covers all practical use cases. Tom > Steffen > >
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
