[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Death to AH (was Re: SA identification)


Henry Spencer wrote:
> 
> On Thu, 22 Mar 2001, Stephen Kent wrote:
> > really whether anyone manages SPIs in a fashion that relies on using
> > the other two values for differentiation.
> 
> Linux FreeS/WAN currently makes minor use of the ability to assign the
> same SPI to SAs of different protocols, for the case where a single
> connection uses multiple protocols (e.g. AH+ESP).  We're not strongly
> attached to this, however... especially since we definitely belong to the
> "Death to AH!!!" faction.
> 
>                                                           Henry Spencer
>                                                        henry@spsystems.net

Yes, quick death to AH please! I've now been writing a new draft for how
to pass AH through NATs using UDP encapsulation (a continuation of the 
work that was presented in the WG meeting). It just basically sucks, and
I'd much rather NOT do it at all! All the people doing the relevant
drafts pretty much agreed that no-one wants to do it, but IPsec requires
AH so we feel we're compelled to do it.

When there was discussion about why AH at all, the only real reason that
I can recollect was that Mobile-IPv6 uses it to protect Binding Updates.
Well, guess what, AH doesn't really work for them either, as witnessed
in the WG meeting today.

Even if AH is not killed at once, a decision by this WG that AH doesn't
need to go through NATs would help us a lot!

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security
Follow-Ups: References: