nanog mailing list archives
RE: AH is pretty useless and perhaps should be deprecated
From: "Adam Stasiniewicz" <stasinia () msoe edu>
Date: Sat, 14 Nov 2009 13:46:09 -0600
I have see AH used in network segmentation. I.e. systems is group A are configured with rules to require all communication be over AH. Systems in group B (which have no AH and no appropriate certificates configured) can't chat with group A. The benefit of using AH vs. ESP in this case is twofold. First, AH is less CPU intensive, and when one considers enabling it on all/many workstations and servers in a company, that can add up to a lot of CPU cycles. Second, since AH only signs, not encrypts, products like network analyzers, IDS/IPS, etc can still perform their functions. Outside of some manual deployments, the only commercial product I know that offers AH based network segmentation is Microsoft's NAP: http://www.microsoft.com/nap Regards, Adam Stasiniewicz -----Original Message----- From: Jack Kohn [mailto:kohn.jack () gmail com] Sent: Friday, November 13, 2009 6:23 PM To: nanog () nanog org Subject: AH is pretty useless and perhaps should be deprecated Hi, Interesting discussion on the utility of Authentication Header (AH) in IPSecME WG. http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html Post explaining that AH even though protecting the source and destination IP addresses is really not good enough. http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html What do folks feel? Do they see themselves using AH in the future? IMO, ESP and WESP are good enough and we dont need to support AH any more .. Jack
Current thread:
- Re: AH is pretty useless and perhaps should be deprecated, (continued)
- Re: AH is pretty useless and perhaps should be deprecated Jack Kohn (Nov 13)
- Re: AH is pretty useless and perhaps should be deprecated Luca Tosolini (Nov 13)
- Re: AH is pretty useless and perhaps should be deprecated Thomas Maufer (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated Joel Jaeggli (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Bill Fehring (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Joel Jaeggli (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Jack Kohn (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated James Hess (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated David Barak (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated Jack Kohn (Nov 13)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated David Barak (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated Marshall Eubanks (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Merike Kaeo (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Merike Kaeo (Nov 13)