nanog mailing list archives
Re: AH is pretty useless and perhaps should be deprecated
From: Marshall Eubanks <tme () americafree tv>
Date: Sun, 15 Nov 2009 04:12:19 -0500
On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:
On Nov 14, 2009, at 8:28 PM, David Barak wrote:I've seen AH used as a "prove that this hasn't been through a NAT" mechanism. In this context, it's pretty much perfect.However, what I don't understand is where the dislike for it originates: if you don't like it, don't run it. It is useful in certain cases, and it's already in all of the production IPSec implementations. Why the hate?There are two reasons. First, it's difficult to implement cleanly, since it violates layering: you have to know the contents of the surrounding IP header to calculate the AH field. Back when I was security AD, I had implementors, especially implementors of on-NIC IPsec, beg me to get rid of it. Second, it's redundant; if (as I believe), ESP with NULL encryption does everything useful that AH does, why have two mechanisms?
Maybe someone should push through a "IPSEC-lite" in the same way we are pushing through IGMPv3-lite.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Regards Marshall
Current thread:
- Re: AH is pretty useless and perhaps should be deprecated, (continued)
- Re: AH is pretty useless and perhaps should be deprecated Bill Fehring (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Joel Jaeggli (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Jack Kohn (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated James Hess (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated David Barak (Nov 16)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated David Barak (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated Steven Bellovin (Nov 14)
- Re: AH is pretty useless and perhaps should be deprecated Marshall Eubanks (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Merike Kaeo (Nov 15)
- Re: AH is pretty useless and perhaps should be deprecated Merike Kaeo (Nov 13)