[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
>It's certainly not the opinion of the FreeS/WAN project. Our current
>users mostly run VPNs, but our long-term objectives are elsewhere. We
>think AH is just as useless and undesirable for non-VPN applications as it
>is for VPN applications. In fact, I don't understand why you think that
>"death to AH!" means "IPsec is for VPN only"; they seem to me like two
>completely separate issues.
in previous discussions, most of "death to AH" reasonning was
(in my understanding) like this:
- you can protect the whole packet by tunnel mode ESP, like
IP1 ESP IP2 foo
so why bother?
so i guess "death to AH" and "ipsec is for VPN only" are related.
it is correct that there are certain extension headers that does not
need protection, however, there are certain application that needs
AH (especially with transport mode). as increasing number of protocol
documents are relying upon the existence of ESP and AH (like most of
IPv6 routing protocols) i believe we need AH definitely.
itojun
Follow-Ups:
References: