[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deprecation of AH header from the IPSEC tool kit
Paul Koning writes:
> It's never been the point of any of this discussion to deprecate the
> notion that authentication is useful -- the issue is whether it makes
> sense to retain AH when ESP does the job with significantly less
> hassle.
What keeps nagging at me is the overhead of both AH
and ESP, not to mention the added complexity.
This might be water well under the bridge, but has
the thought of having a mode to ESP which protects the
outer headers? I know that's contrary to the
"encapsulating" part, but if we want to converge
on one crypto header, it seems to me that placing
an artificial restriction that outside headers can
never be protected is pretty arbitrary and wrongheaded
(even though I'm persuaded by Steve Bellovin's arguments
about v4 headers).
Mike
Follow-Ups:
References: