Jun Hu \(Nokia\) <[email protected]> wrote: > I personally agree to get rid of AH; however if we consider the impact, > it is more than just IPsec, there are some non-ipsec protocols today > still allow to use AH (along with ESP) like OSPFv3 (RFC4552), MIPv6 > (RFC6275), there might other others
No, they don't really use it in practice. It was rfc5406 "Use IPsec" AH can't be used meaningfully with any protocol that multicasts on the wire. (So, OSPFv3 could never use it. MIPv6 would have used it to authenticate the MIPv6 header, for the Binding Update messages. But, those messages are useless if there is actual BCP38 filters. While some claim some mobile operators use it within the RAN, I have never seen it.) We learned that AH was, sadly, useless, when we tried to use it for SEND. AH got the behaviour for unknown SPI# wrong. The correct behaviour to be useful was to skip the header, treat it like it was never there, and go onto the next (Extension/ULP) Header. But, instead "deployed" code drops the packet and sends an error. All other uses of AH can be done with ESP and a tunnel to authenticate the needed headers. Perhaps ESPv3 will also let us authenticate some before things. While we failed at getting consensus a bunch of years ago, that was then. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
