Re: [IPsec] Avoiding Authentication Header (AH)

[RJ Atkinson <rja.lists@gmail.com>]

On 02  Jan 2012, at 14:24 , Jack Kohn wrote:
>> While AH uses are limited today, just as the use of
>> IP options/extensions are limited today, current active
>> uses of AH in real-world deployments today include at least
>> these -- built using commercial off-the-shelf products:
> 
> BTW, there is a discussion going on in NANOG on who uses AH
> and nobody seems to be raising their hands.
> 
> Obviously, one cant take draw to much from that,
> but it just gives you a data point.

I absolutely believe that.  It is not a surprise.  
More data is almost always better than less data.

NANOG list membership is mostly, not entirely, but mostly, 
ISP folks and content providers.  Threat models for ISPs 
tend to focus on protecting the transit infrastructure 
and their provisioning/management platforms.  Many ISPs 
seem to share similar threat models.

Threat models for end users tend to be different -- and 
vary pretty widely.

I haven't been at an ISP for a decade, but I'd be surprised 
to see an ISP put a firewall in their transit network, 
whereas many enterprise deployments have multiple firewalls 
(and also IDSs and other boxes) throughout their network.

Threat models vary between ISPs and enterprises and other users.  
Common deployment models vary also by type of user.

ISPs tend to deploy I/IS-IS as their IGP for a range of reasons,
while other users more commonly deploy OSPF as their IGP.
No doubt there are exceptions to those trends.

Financial institutions are obvious examples of high-threat 
environments.  A compromise at a large financial institution 
could have a very high monetary cost to the victim institution.
Often this means large financial institutions find it 
worthwhile to deploy security measures that other sites 
do not find worthwhile.  

Cheers,

Ran