Re: AH is pretty useless and perhaps should be deprecated

[Marshall Eubanks <tme () americafree tv>]

On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:

> On Nov 14, 2009, at 8:28 PM, David Barak wrote:
>
> > I've seen AH used as a "prove that this hasn't been through a NAT"  
> > mechanism.  In this context, it's pretty much perfect.
> >
> > However, what I don't understand is where the dislike for it  
> > originates: if you don't like it, don't run it.  It is useful in  
> > certain cases, and it's already in all of the production IPSec  
> > implementations.  Why the hate?
>
> There are two reasons.  First, it's difficult to implement cleanly,  
> since it violates layering: you have to know the contents of the  
> surrounding IP header to calculate the AH field.  Back when I was  
> security AD, I had implementors, especially implementors of on-NIC  
> IPsec, beg me to get rid of it.  Second, it's redundant; if (as I  
> believe), ESP with NULL encryption does everything useful that AH  
> does, why have two mechanisms?

Maybe someone should push through a "IPSEC-lite" in the same way we  
are pushing through IGMPv3-lite.

>                 --Steve Bellovin, http://www.cs.columbia.edu/~smb

Regards
Marshall

>