nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AH is pretty useless and perhaps should be deprecated

From: Steven Bellovin <smb () cs columbia edu>
Date: Sat, 14 Nov 2009 21:58:41 -0500

On Nov 14, 2009, at 8:28 PM, David Barak wrote:


I've seen AH used as a "prove that this hasn't been through a NAT" mechanism.  In this context, it's pretty much 
perfect.

However, what I don't understand is where the dislike for it originates: if you don't like it, don't run it.  It is 
useful in certain cases, and it's already in all of the production IPSec implementations.  Why the hate?


There are two reasons.  First, it's difficult to implement cleanly, since it violates layering: you have to know the 
contents of the surrounding IP header to calculate the AH field.  Back when I was security AD, I had implementors, 
especially implementors of on-NIC IPsec, beg me to get rid of it.  Second, it's redundant; if (as I believe), ESP with 
NULL encryption does everything useful that AH does, why have two mechanisms?


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: