[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Death to AH? (was: Reasons for AH & ESP )



At 09:09 AM 6/1/2000 -0400, Steven M. Bellovin wrote:

>Some of us have argued against AH for years --
>I still have a note I sent in 1995 detailing its uselessness.  But I
>see no consensus to re-open the question; I certainly don't intend to
>lead any charge to delete it from the spec as we move towards Draft
>Standard.  (Admittedly, I have considered such an effort, but I don't
>think enough people or views have changed to make it worthwhile, and
>I'd rather not stir up pointless controversy.)

I might think the first step toward that is to poll this diverse group to 
see if anyone is deploying AH and could not use ESP NULL instead.

I am all for a rough concensus that will change the IPsec/IKE standards to 
list AH as a Historical protocol that should not be implemented anymore.

I suspect that a number of vendors only have it in their product for the 
'check box' syndrome.

I would also be interested in a lively debate by IPv6 knowedgeable 
engineers that can couner Steve B's concerns on the real value of AH to v6.

However, I might point out that some vendors have had their ICSA 
certification delayed while they hustled to add the NULL encryption to 
their ESP implementation.  Like they never read our criteria before product 
submission.  Speaking on NULL, it is also sad on the number of vendors that 
implemented it with a key length of ZERO.  That is in IKE they explicitely 
specified the key length as ZERO.



Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



Follow-Ups: References: