RFC 5601 -> RFC 4601
-------- Forwarded Message --------
Subject: [IPsec] Re: [EXT] Re: Fwd: New Version Notification for
draft-herbert-deprecate-auth-header-00.txt
Date: Fri, 2 Jan 2026 17:36:31 -0500
From: William Atwood <[email protected]>
Organization: Concordia University
To: [email protected]
Attention This email originates from outside the concordia.ca domain. //
Ce courriel provient de l'extérieur du domaine de concordia.ca
PIM was originally specified in RFC 5601, which required AH, but did not
specify the details of how to use IPsec with PIM. RFC 5796 specified
how to use IPsec in detail. It mandated ESP, but allowed AH. The
Internet Standard version of PIM, specified in RFC 7761, removed the
requirement for IPsec, on the grounds of insufficient deployment experience.
So, it is probably very safe to say that AH is not deployed by users of PIM.
Bill
On 2026-01-02 12:04 p.m., Tom Herbert wrote:
Attention This email originates from outside the concordia.ca domain. //
Ce courriel provient de l'extérieur du domaine de concordia.ca
On Fri, Jan 2, 2026 at 8:50 AM Jun Hu (Nokia) <jun.hu <https://
can01.safelinks.protection.outlook.com/?
url=http%3A%2F%2Fjun.hu%2F&data=05%7C02%7Cwilliam.atwood%40concordia.ca%7C535a6afe67af47036e0408de4a210e32%7C5569f185d22f4e139850ce5b1abcd2e8%7C0%7C0%7C639029703036779758%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=B1z8619q1m0nFUn7b9AS987TN0uyEj2dKaQUqyT1RXo%3D&reserved=0>[email protected] <mailto:[email protected]>> wrote:
I personally agree to get rid of AH; however if we consider the
impact, it is more than just IPsec, there are some non-ipsec
protocols today still allow to use AH (along with ESP) like OSPFv3
(RFC4552), MIPv6 (RFC6275), there might other others
Hi Jun,
That's a good point. Do you know of anyone using AH with routing
protocols? If someone is using it is there any reason they could use ESP
or ESP-NULL instead?
Tom
____
__ __
*From:*Tom Herbert <[email protected]
<mailto:[email protected]>>
*Sent:* Friday, January 2, 2026 8:16 AM
*To:* Steffen Klassert <[email protected]
<mailto:[email protected]>>
*Cc:* Blumenthal, Uri - 0553 - MITLL <[email protected]
<mailto:[email protected]>>; Paul Wouters <[email protected]
<mailto:[email protected]>>; [email protected] <mailto:[email protected]>
*Subject:* [IPsec] Re: [EXT] Re: Fwd: New Version Notification for
draft-herbert-deprecate-auth-header-00.txt____
__ __
You don't often get email from [email protected]
<mailto:[email protected]>. Learn why this is
important <https://aka.ms/LearnAboutSenderIdentification> ____
__ __
____
*CAUTION:*This is an external email. Please be very careful when
clicking links or opening attachments. See the URL nok.it/ext
<https://can01.safelinks.protection.outlook.com/?
url=http%3A%2F%2Fnok.it%2Fext&data=05%7C02%7Cwilliam.atwood%40concordia.ca%7C535a6afe67af47036e0408de4a210e32%7C5569f185d22f4e139850ce5b1abcd2e8%7C0%7C0%7C639029703036805019%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=W3T42akUOFPyq%2FNKP7%2B2x4FHk7Xa9vYv0PFy1tnoNJI%3D&reserved=0>
for additional information.____
____
__ __
On Fri, Jan 2, 2026, 4:25 AM Steffen Klassert
<[email protected] <mailto:[email protected]>>
wrote:____
On Thu, Jan 01, 2026 at 06:13:17AM +0000, Blumenthal, Uri - 0553
- MITLL wrote:
> >> Do you remember why consensus wasn't reached? Unless
there's a good
> >> reason, I would like to remove support for AH from Linux.
> >
> > The people thought they had good reasons.
>
>
> Not a good argument - nobody (normally) argues believing his
reasons are bad. The real reasons for AH existence have died
long ago - and I’ve been there when AH was initially created, so
yes I do know.
>
>
> > There were various use cases and saving bytes compared to
esp-null mattered.
>
> No valid use cases now, AFAIK - and while saving bytes might
make some sense, I’d say - not in this case.
Some people still use it because it authenticates the constant
fields of the outer IP header, this can't be done with ESP.____
__ __
Hi Steffen,____
__ __
Is this a fact that people are using AH or a conjecture that people
might be using it? :-)____
__ __
Also, I'm not sure there's really any value in authenticating the
constant fields of IP header. The constant fields are just
addresses, version, length (IHL and total), next protocol. With the
exception of the addresses, any modifications to the other fields
inflight would most likely result in dropped packets especially if
ESP or Transport security is also in use. The addresses of course
are routinely changed in NAT, so use of AH could prevent the use of
NAT in the path. That point was brought up on 6man where AH could be
used to discourage the use of NAT with IPv6. I'm doubtful anyone is
actually using AH for that purpose.____
__ __
> >> If no one’s using AH then the code is nothing more than a
liability and
> >> maintenance headache. Granted, we don't need formal
deprecation of AH
> >> to do that, but I would prefer to keep Linux and IETF on
the same page.
>
> And it’s about time to turn that page over. 😉
I'd be more than happy to get rid of AH in the Linux Kernel, and an
official deprecation by the IETF would help a lot.____
__ __
Sounds good. I believe the first step will be to disable compilation
of AH by default in Kconfig with a nice warning that AH is being
deprecated. I'll post a patch shortly.____
__ __
>
> > I thought Linux didn’t break APIs. You can ask the Linux
IPsec maintainer,
> > he is on this list and will read this too.
> > My impression was even if the IETF obsoleted it, Linux
wouldn't remove it.
>
>
> Let’s hope he’ll jump in. BTW, breaking changes do happen, as
I observed myself when I was working with/on Linux.
Breaking changes do happen, but we should not break things
intentionally. We need to make sure that all still valid
use cases are covered somewhere else, then we can start
the deprecation process in the IETF and the Linux Kernel.____
__ __
AFAICT, ESP or transport layer security adequately covers all
practical use cases.____
__ __
Tom____
__ __
Steffen____
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
Dr. J.W. Atwood, Eng. (retired)
Distinguished Professor Emeritus
Department of Computer Science
and Software Engineering
Concordia University ER 1234 email:[email protected]
1455 de Maisonneuve Blvd. West
http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
