Re: [IPsec] WESP - Roadmap Ahead

Steven Bellovin <> Thu, 12 November 2009 18:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B91AE3A6AF3 for <>; Thu, 12 Nov 2009 10:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.555
X-Spam-Status: No, score=-6.555 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J+HUNybq6d+M for <>; Thu, 12 Nov 2009 10:27:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A7F603A6AF2 for <>; Thu, 12 Nov 2009 10:27:05 -0800 (PST)
Received: from ( []) (user=smb2132 mech=PLAIN bits=0) by (8.14.3/8.14.3) with ESMTP id nACIRULQ029263 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 12 Nov 2009 13:27:32 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <>
In-Reply-To: <p06240800c720d4538dd2@[]>
Date: Thu, 12 Nov 2009 09:54:43 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <p06240800c720d4538dd2@[]>
To: Stephen Kent <>
X-Mailer: Apple Mail (2.1077)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.65 on
Cc:, Jack Kohn <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2009 18:27:06 -0000

On Nov 11, 2009, at 3:56 PM, Stephen Kent wrote:

> Jack,
> I would have no problem deprecating AH in the context of the IPsec architecture document, if others agree. It is less efficient  than ESP-NULL. However, other WGs have cited AH as the IPsec protocol of choice for integrity/authentication in their environments, so there will be a need to coordinate with them, and it may be unacceptable to kill AH as a standalone protocol for them.

I believe that most such uses date from the "just use IPsec" era of security design.  I further suspect that it is very rarely used or even implemented in practice, and that in many cases it wouldn't in fact have been usable.

Yes, as a matter of due diligence someone needs to check if it's still mandated for anything, and if so figure out what to do.  But I'd be very happy if AH were to go awa; I concluded in 1995 that it was pretty useless.

		--Steve Bellovin,