I read the draft and its very interesting. There were some issues that i had never imagined could exist and it does a wonderful job of brining them forth.
However, i still dont understand why AH would be preferred over ESP-NULL in case of OSPFv3. The draft speaks of issues with replaying the OSPF packets. One could also do these things with AH. Am i missing something? Jack On Mon, Nov 16, 2009 at 11:47 AM, Joel Jaeggli <joe...@bogus.com> wrote: > > > Bill Fehring wrote: >> On Sun, Nov 15, 2009 at 20:48, Joel Jaeggli <joe...@bogus.com> wrote: >>> Owen DeLong wrote: >>>> I've never seen anyone use AH vs. ESP. >>> OSPFv3? >> >> Maybe I'm asking a dumb question, but why would one prefer AH over ESP >> for OSPFv3? > > Header protection... still doesn't provide replay protection, your > mileage may vary > > http://tools.ietf.org/html/draft-ietf-opsec-routing-protocols-crypto-issues-02 > >> RFC4552: >> "In order to provide authentication to OSPFv3, implementations MUST >> support ESP and MAY support AH." >> >> -Bill >> > >