Re: Does anybody out there use Authentication Header (AH)?

[Jack Kohn <kohn.jack () gmail com>]

Tom,

It seems NIST recommends ESP over AH.

You can look at the following 2 emails from Manav and Sriram on the IPsecME WG:

http://www.ietf.org/mail-archive/web/ipsec/current/msg07403.html
http://www.ietf.org/mail-archive/web/ipsec/current/msg07407.html

Jack

On Mon, Jan 2, 2012 at 5:57 AM, TR Shaw <tshaw () oitc com> wrote:
> On Jan 1, 2012, at 7:12 PM, John Smith wrote:
>
> > Hi,
> >
> > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. 
> > While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all 
> > protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL.
> >
> > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might 
> > want to use AH? OR is it that people dont care and just use what their vendors provide them?
> >
> > Regards,
> > John
>
> AH provides for  connectionless integrity and data origin authentication and provides protection against replay 
> attacks.  Many US Gov departments that have to follow NIST and do not understand what this means require it between 
> internal point-to-point routers between one portion of their organization and another adding more expense for no 
> increase in operational security.
>
> If you are following NIST or DCID-63, this is required to meet certain integrity requirements
>
> ESP provides confidentiality,  data origin authentication,  connectionless integrity,  an anti-replay service,  and 
> limited traffic flow confidentiality.  EG AH portion provides for the integrity requirement and the ESP encryption 
> provides for the confidentiality requirement of NIST.
>
> Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail.
>
> There are reasons for both.
>
> Tom