[119333] in North American Network Operators' Group
Re: AH is pretty useless and perhaps should be deprecated
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Sat Nov 14 21:59:59 2009
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <107749.71985.qm@web31814.mail.mud.yahoo.com>
Date: Sat, 14 Nov 2009 21:58:41 -0500
To: David Barak <thegameiam@yahoo.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 14, 2009, at 8:28 PM, David Barak wrote:
> I've seen AH used as a "prove that this hasn't been through a NAT" =
mechanism. In this context, it's pretty much perfect.
>=20
> However, what I don't understand is where the dislike for it =
originates: if you don't like it, don't run it. It is useful in certain =
cases, and it's already in all of the production IPSec implementations. =
Why the hate?
There are two reasons. First, it's difficult to implement cleanly, =
since it violates layering: you have to know the contents of the =
surrounding IP header to calculate the AH field. Back when I was =
security AD, I had implementors, especially implementors of on-NIC =
IPsec, beg me to get rid of it. Second, it's redundant; if (as I =
believe), ESP with NULL encryption does everything useful that AH does, =
why have two mechanisms?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
