Re: [IPsec] Avoiding Authentication Header (AH)

["Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>]

Hi Nico,
 
> Advising (and updating said advice as circumstances change) 
> use-IPsec protocol designers as to when to use ESP and/or AH 
> is something we should do.  Deprecating AH seems like a nice 
> idea, but if there's good reasons to still use it, then maybe not.

We're not talking about deprecating or killing AH. I concede that I did allude to it in my first draft, but then changed the tone based on the WG feedback, to say that we should "avoid" AH wherever possible.

What we're trying to say is this:

1. If folks have a reason to use AH then they're most welcome to use it. 

2. If there are topologies where it makes only sense to use AH then do that. Ran pointed out to some very specific cases where it apparently makes sense to use AH and I have no problems with people using AH there. In the view of most people there isn't a need for AH in the service provider network and I am fine with a few people disagreeing with me. 

3. If there are newer protocols that cant use ESP-NULL for some reason and need to extend AH, then they should do that. All we're saying is that those folks should not arbitrarily extend AH. They should have a good reason for doing so.

In short, if ESP-NULL can do the job, then DON'T mandate AH - no point having multiple protocols doing the same stuff. If it cant, then either (i) fix ESP or (ii) go ahead and use AH. Pick up whichever is more elegant and preferred by the community.

I think that's all that we're trying to say here.

Cheers, Manav