Hi Fernando, On Thu, Jul 08, 2021 at 03:48:05AM +0000, Fernando Gont wrote: > Hello, Ben, > > On Wed, 2021-07-07 at 19:00 -0700, Benjamin Kaduk wrote: > > On Wed, Jun 30, 2021 at 10:03:48PM -0700, Erik Kline via Datatracker > > wrote: > > > [S4.3.9.4] [comment] > > > > > > * It seems fairly clear from RFC 5570 Security Considerations that > > > a > > > CALIPSO option is best protected with an AH, and in such cases > > > stripping > > > the CALIPSO option would cause the packet to fail validation at > > > the > > > (suitably configured) destination. > > > > > > Similarly, it might be good to note in S4.3.9.5 that if an AH is > > > present > > > presumably the advice from S3.4.5.5 applies. > > > > Probably not very relevant here, but the current IPSECME advice is to > > use > > ESP with null encryption rather than AH. > > A pointer might be worth including. What document and section should we > be referencing here?
It's not perfect, but https://datatracker.ietf.org/doc/html/rfc8221#section-5 does include: ENCR_NULL status was set to MUST in [RFC7321] and remains a MUST to enable the use of ESP with only authentication, which is preferred over AH due to NAT traversal. ENCR_NULL is expected to remain MUST by protocol requirements. -Ben _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
