nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AH or ESP

From: Merike Kaeo <kaeo () merike com>
Date: Tue, 26 May 2009 17:23:52 -0700
I agree as well that ESP-Null the way to go for integrity. From operational perspective if you are supporting both v4 and v6 (and you will) then having different protocols will be a nightmare. Common denominator is ESP-Null.
Realistically for IPsec, unless you have the scalable credential issue resolved and easier configs from vendors, the operational time sync will have many looking elsewhere to accomplish what's needed in the name of security. (total bummer IMHO). 

- merike

On May 26, 2009, at 4:35 PM, Jack Kohn wrote:




The delusion that network operators can successfully use unhelpful
protocols and/or smoke and mirrors to force idealist network design on others needs to end. People use new protocols because they are better. If the benefit of moving to a new protocol does not outweigh the pain of moving to it, people don't use it. That's why the OSI protocols did not kill IP like they were supposed to in the 90s, it is why the largely forgotten mandated move from Windows to secure OSes (ie, Unix) for all government employees never happened, and it is why IPv6 is sputtering. 
If people want to use NAT, they are going to use NAT.  They may stop
using it if the widespread adoption of peer to peer protocols means they are missing out on things other people are doing. They are not going to stop using NAT to use a protocol maliciously designed to break it; they will just wait, patiently and nearly always successfully, for somebody to come out with a version that has no such malice. They are certainly not going to stop using NAT because somebody tells them they should use 
a security protocol that does not secure anything worth securing.
BitTorrent is a better anti-NAT tool than AH ever will be. More carrot, 
less stick.



I agree. Folks are going to use ESP-NULL if they really want Integrity
Protection ..



-Dave
Previous By Date Next
Previous By Thread Next

Current thread: