Re: [IPsec] Avoiding Authentication Header (AH)

["Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>]

Hi Marc,

We don't say that. 4301 says that implementations MAY support AH and MUST support ESP.

This creates a problem for implementations if in future a new application or a protocol mandates the use of AH. 

I will even go a step further and say that newer protocols should just assume ESP-NULL and not even bother with AH if they can do with just ESP.

Cheers, Manav

-----Original Message-----
From: mcr@sandelman.ca [mailto:mcr@sandelman.ca] 
Sent: Wednesday, January 04, 2012 7:46 PM
To: Bhatia, Manav (Manav)
Cc: Nico Williams; ipsec@ietf.org
Subject: Re: [IPsec] Avoiding Authentication Header (AH)


>>>>> "Manav" == Manav Bhatia <Bhatia> writes:
    Manav> Hi Nico,
 
    >> Advising (and updating said advice as circumstances change)
    >> use-IPsec protocol designers as to when to use ESP and/or AH is
    >> something we should do.  Deprecating AH seems like a nice idea,
    >> but if there's good reasons to still use it, then maybe not.

    Manav> We're not talking about deprecating or killing AH. I concede
    Manav> that I did allude to it in my first draft, but then changed
    Manav> the tone based on the WG feedback, to say that we should
    Manav> "avoid" AH wherever possible.

This is the status quo already.
Why do we need this draft?

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.