I personally agree to get rid of AH; however if we consider the impact, it is more than just IPsec, there are some non-ipsec protocols today still allow to use AH (along with ESP) like OSPFv3 (RFC4552), MIPv6 (RFC6275), there might other others
From: Tom Herbert <[email protected]> Sent: Friday, January 2, 2026 8:16 AM To: Steffen Klassert <[email protected]> Cc: Blumenthal, Uri - 0553 - MITLL <[email protected]>; Paul Wouters <[email protected]>; [email protected] Subject: [IPsec] Re: [EXT] Re: Fwd: New Version Notification for draft-herbert-deprecate-auth-header-00.txt You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. On Fri, Jan 2, 2026, 4:25 AM Steffen Klassert <[email protected]<mailto:[email protected]>> wrote: On Thu, Jan 01, 2026 at 06:13:17AM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > >> Do you remember why consensus wasn't reached? Unless there's a good > >> reason, I would like to remove support for AH from Linux. > > > > The people thought they had good reasons. > > > Not a good argument - nobody (normally) argues believing his reasons are bad. > The real reasons for AH existence have died long ago - and I’ve been there > when AH was initially created, so yes I do know. > > > > There were various use cases and saving bytes compared to esp-null mattered. > > No valid use cases now, AFAIK - and while saving bytes might make some sense, > I’d say - not in this case. Some people still use it because it authenticates the constant fields of the outer IP header, this can't be done with ESP. Hi Steffen, Is this a fact that people are using AH or a conjecture that people might be using it? :-) Also, I'm not sure there's really any value in authenticating the constant fields of IP header. The constant fields are just addresses, version, length (IHL and total), next protocol. With the exception of the addresses, any modifications to the other fields inflight would most likely result in dropped packets especially if ESP or Transport security is also in use. The addresses of course are routinely changed in NAT, so use of AH could prevent the use of NAT in the path. That point was brought up on 6man where AH could be used to discourage the use of NAT with IPv6. I'm doubtful anyone is actually using AH for that purpose. > >> If no one’s using AH then the code is nothing more than a liability and > >> maintenance headache. Granted, we don't need formal deprecation of AH > >> to do that, but I would prefer to keep Linux and IETF on the same page. > > And it’s about time to turn that page over. 😉 I'd be more than happy to get rid of AH in the Linux Kernel, and an official deprecation by the IETF would help a lot. Sounds good. I believe the first step will be to disable compilation of AH by default in Kconfig with a nice warning that AH is being deprecated. I'll post a patch shortly. > > > I thought Linux didn’t break APIs. You can ask the Linux IPsec maintainer, > > he is on this list and will read this too. > > My impression was even if the IETF obsoleted it, Linux wouldn't remove it. > > > Let’s hope he’ll jump in. BTW, breaking changes do happen, as I observed > myself when I was working with/on Linux. Breaking changes do happen, but we should not break things intentionally. We need to make sure that all still valid use cases are covered somewhere else, then we can start the deprecation process in the IETF and the Linux Kernel. AFAICT, ESP or transport layer security adequately covers all practical use cases. Tom Steffen
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
