All of the standards I've seen that explicitly define how IPsec is to
be used for authentication (including RFC 4552 - Authentication/
Confidentiality for OSPFv3) say that for authentication ESP-Null MUST
be used and AH MAY.
Which RFCs specify AH specifically as a MUST for authentication/
integrity?
Now on the flip side, in practical implementations, most vendors I
know of started off with AH being used for OSPFv3 and I doubt in
practice people are using ESP-Null. Would love to be wrong here :)
- merike
On Nov 11, 2009, at 7:28 PM, Stephen Kent wrote:
At 7:44 AM +0530 11/12/09, Bhatia, Manav (Manav) wrote:
Steve,
I would have no problem deprecating AH in the context of the IPsec
architecture document, if others agree. It is less efficient than
ESP-NULL. However, other WGs have cited AH as the IPsec protocol of
choice for integrity/authentication in their environments, so there
will be a need to coordinate with them, and it may be
unacceptable to
kill AH as a standalone protocol for them.
I agree that it is a trifle too early to start deprecating AH,
though I wouldn't mind doing so. OTOH, don't most WGs already
suggest AH as a MAY, and ESP-NULL as a MUST?
Not always. For example, I believe that OSPF security makes use of
AH, outside the IPsec context.
In any case what should be the stand for the newer work that comes
out of these WGs. Should they spell out support for AH, or should
they just be talking about ESP (or ESP-NULL or WESP)?
I'd recommend ESP-NULL, unless the context on which the operate
might require inspection by an intermediate system.
If we want to deprecate AH, or at least discourage its use in the
context of the IPSec architecture in the near future then
shouldn't we be working on this?
Part of the problem is that some WGs want to make use of IPsec
protocols outside of the IPsec architecture.
> I am not comfortable with the notion of ESP with WESP. WESP adds
> more per-packet overhead than ESP, and some users are very
sensitive
to this aspect of IPsec use. Also, other WG rely on ESP and we
would
need to convince them that the packet inspection features of WESP
merit making changes to their standards, which might be a tough
sell.
I agree. However, we should start socializing WESP in other WGs so
that folks are at least aware of it.
Agree.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec