[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Death to AH Now (was RE: Death to AH (was Re: SA identification ))
Death to AH Now (was RE: Death to AH (was Re: SA dentification))
I strongly agree. AH should die immediately.
AH was invented before mobile-IP. It was based n an assumption that IPv6 header fields should be protected, yet still e readable by routers in transit. This was not a useful equirement. Better protection can be provided by other echanisms (like ESP). Over the last year or two there have been ew supporter of AH (perhaps just 1?). The mandatory-to-implement tatus of AH is expensive and unnecessary.
The IETF makes it easier to add a technology than to emove it. I propose that the working group proceed with the ollowing process:
1) The IPsec working group should have yet another traw poll on the death of AH :-(
a) The following questions should be osed to working groups in the IETF
Questions:
i) Should
H be an IETF standards track document?
f you answer was yes to the question above, please answer the ollowing additional questions:
ii) What useful ecurity service does AH provide that can not be provided by other echanisms (like ESP)?
iii) Do you know of
ny significant existing application of AH?
b) Since various working may have
dopted AH (like mobile-IP) the poll should go to all
working roups.
c) The straw poll comment period should nd in two weeks (last comments accepted April 6)
2) Take action if the results above indicate that AH hould "die".
Action items would include:
a) Remove AH from the standards track y reissuing RFC 2402 as informational or experimental.
b) Modify RFC 2401 to purge AH from the
rchitecture.
c) Minor as required in other pecifications (to be identified).
d) Retain, but do not mandate key anagement support for AH.
Minor modifications
o key management specification may be required.
Paul
-----Original Message-----
From: Ari Huttunen [<3d.htm>mailto:Ari.Huttunen@F-Secure.c<3d.htm>m]
Sent: Thursday, March 22, 2001 9:11 AM
To: Henry Spencer
Cc: IP Security List
Subject: Death to AH (was Re: SA dentification)
Henry Spencer wrote:
>
> On Thu, 22 Mar 2001, Stephen Kent wrote:
> > really whether anyone manages SPIs in a ashion that relies on using
> > the other two values for
ifferentiation.
>
> Linux FreeS/WAN currently makes minor use of
he ability to assign the
> same SPI to SAs of different protocols, for the ase where a single
> connection uses multiple protocols (e.g.
H+ESP). We're not strongly
> attached to this, however... especially since e definitely belong to the
> "Death to AH!!!" faction.
>
> Henry Spencer
> enry@spsystems.net
Yes, quick death to AH please! I've now been writing
new draft for how
to pass AH through NATs using UDP encapsulation (a ontinuation of the
work that was presented in the WG meeting). It just asically sucks, and
I'd much rather NOT do it at all! All the people
oing the relevant
drafts pretty much agreed that no-one wants to do t, but IPsec requires
AH so we feel we're compelled to do it.
When there was discussion about why AH at all, the nly real reason that
I can recollect was that Mobile-IPv6 uses it to rotect Binding Updates.
Well, guess what, AH doesn't really work for them ither, as witnessed
in the WG meeting today.
Even if AH is not killed at once, a decision by this G that AH doesn't
need to go through NATs would help us a lot!
Ari
--
Ari uttunen phone: +358 9 2520 700
Software
rchitect fax : +358 9 2520 5001
F-Secure orporation <3d.htm>http://www.F-Secure.<3d.htm>com
F-Secure products: Integrated Solutions for nterprise Security