[119336] in North American Network Operators' Group
Re: AH is pretty useless and perhaps should be deprecated
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Sun Nov 15 04:13:04 2009
From: Marshall Eubanks <tme@americafree.tv>
To: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <093B72CA-7F7D-4FBB-836E-E082D931705F@cs.columbia.edu>
Date: Sun, 15 Nov 2009 04:12:19 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 14, 2009, at 9:58 PM, Steven Bellovin wrote:
>
> On Nov 14, 2009, at 8:28 PM, David Barak wrote:
>
>> I've seen AH used as a "prove that this hasn't been through a NAT"
>> mechanism. In this context, it's pretty much perfect.
>>
>> However, what I don't understand is where the dislike for it
>> originates: if you don't like it, don't run it. It is useful in
>> certain cases, and it's already in all of the production IPSec
>> implementations. Why the hate?
>
> There are two reasons. First, it's difficult to implement cleanly,
> since it violates layering: you have to know the contents of the
> surrounding IP header to calculate the AH field. Back when I was
> security AD, I had implementors, especially implementors of on-NIC
> IPsec, beg me to get rid of it. Second, it's redundant; if (as I
> believe), ESP with NULL encryption does everything useful that AH
> does, why have two mechanisms?
>
Maybe someone should push through a "IPSEC-lite" in the same way we
are pushing through IGMPv3-lite.
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
Regards
Marshall
>
>
>
>
>
>
>
