[119330] in North American Network Operators' Group
RE: AH is pretty useless and perhaps should be deprecated
daemon@ATHENA.MIT.EDU (Adam Stasiniewicz)
Sat Nov 14 14:47:16 2009
From: "Adam Stasiniewicz" <stasinia@msoe.edu>
To: "'Jack Kohn'" <kohn.jack@gmail.com>,
<nanog@nanog.org>
In-Reply-To: <dc8fd0140911131622n38af24f6je4bc4c0b8b7ad9d9@mail.gmail.com>
Date: Sat, 14 Nov 2009 13:46:09 -0600
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I have see AH used in network segmentation. I.e. systems is group A are
configured with rules to require all communication be over AH. Systems in
group B (which have no AH and no appropriate certificates configured) can't
chat with group A. The benefit of using AH vs. ESP in this case is twofold.
First, AH is less CPU intensive, and when one considers enabling it on
all/many workstations and servers in a company, that can add up to a lot of
CPU cycles. Second, since AH only signs, not encrypts, products like
network analyzers, IDS/IPS, etc can still perform their functions.
Outside of some manual deployments, the only commercial product I know that
offers AH based network segmentation is Microsoft's NAP:
http://www.microsoft.com/nap
Regards,
Adam Stasiniewicz
-----Original Message-----
From: Jack Kohn [mailto:kohn.jack@gmail.com]
Sent: Friday, November 13, 2009 6:23 PM
To: nanog@nanog.org
Subject: AH is pretty useless and perhaps should be deprecated
Hi,
Interesting discussion on the utility of Authentication Header (AH) in
IPSecME WG.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
Post explaining that AH even though protecting the source and
destination IP addresses is really not good enough.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
What do folks feel? Do they see themselves using AH in the future?
IMO, ESP and WESP are good enough and we dont need to support AH any
more ..
Jack
