Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

"Valery Smyslov" <> Wed, 26 February 2014 07:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BA1BD1A0864 for <>; Tue, 25 Feb 2014 23:07:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.139
X-Spam-Level: *
X-Spam-Status: No, score=1.139 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ambCvTtZ4Od6 for <>; Tue, 25 Feb 2014 23:07:03 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::22c]) by (Postfix) with ESMTP id 3C2E01A0860 for <>; Tue, 25 Feb 2014 23:07:03 -0800 (PST)
Received: by with SMTP id hr13so323841lab.17 for <>; Tue, 25 Feb 2014 23:07:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=kk0yO0e//URML6UuCZocFPSc9AFDimPaMuQZNWibDd8=; b=QRwxhHU6ENMoJ7mKeDD1VVlrsQ4+KZw1kcs8p8bK9wr4yVfvEAbwTAVkKMNwr1Kf0g quWBnm+c7TTiDN2CxuMQrO+5gjq2gpB3fX4GtrrchXMgpOpg1GNXa6dQdjd0x8drkLiK sqolWamD+pZa9UtfqaG9wSvXL/dZZ6VmMVADXtQSpI+FgNU3b5kp3EUvt0W32jWZsq+l ePW7h7JK4Jooesq2WGdIChRCG5I5a5RxeuFHSSD2rCkvGgtOeDKHcV3BIn0VOwddU3kQ mcPw7vENqviTZiQpDlm7qVehR9op3I8AN5o7E13MLJKlkYaPif1V1UX1oraHjWITaGIF rUcA==
X-Received: by with SMTP id li5mr311599lac.50.1393398421291; Tue, 25 Feb 2014 23:07:01 -0800 (PST)
Received: from buildpc ([]) by with ESMTPSA id 10sm3728688lan.5.2014. for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 25 Feb 2014 23:07:00 -0800 (PST)
Message-ID: <C304982FF00F49BCB9A581CF122595FC@buildpc>
From: "Valery Smyslov" <>
To: "Paul Hoffman" <>, "Paul Wouters" <>
References: <> <> <> <>
Date: Wed, 26 Feb 2014 11:07:11 +0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Cc: ipsec <>
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Feb 2014 07:07:05 -0000

Hi Paul,

>> It lists NULL ESP as a MUST. Wasn't this a MUST a leftover from the old
>> crypto export restrictions? While I think NULL ESP is a good debugging
>> tool, and a good replacement for AH in general, I don't think this is
>> really a MUST item (unless you would actually advise people to migrate
>> from AH to ESP NULL, in which case I'll cheer on this MUST)
> It is for systems that don't implement AH. We should probably say this 
> explicitly in section 3.

I don't think it is limited for those systems only.
You may implement AH, but yon cannot use it
everywhere, as it is not compatible with NATs.
And ESP-NULL with Auth is the only substitute there.
So, it must be MUST for any system.

Valery Smyslov.