Re: Death to AH (was Re: SA identification)

[Jun-ichiro itojun Hagino <itojun@iijlab.net>]

>It's certainly not the opinion of the FreeS/WAN project.  Our current
>users mostly run VPNs, but our long-term objectives are elsewhere.  We
>think AH is just as useless and undesirable for non-VPN applications as it
>is for VPN applications.  In fact, I don't understand why you think that
>"death to AH!" means "IPsec is for VPN only"; they seem to me like two
>completely separate issues. 

	in previous discussions, most of "death to AH" reasonning was
	(in my understanding) like this:
	- you can protect the whole packet by tunnel mode ESP, like
		IP1 ESP IP2 foo
	  so why bother?

	so i guess "death to AH" and "ipsec is for VPN only" are related.

	it is correct that there are certain extension headers that does not
	need protection, however, there are certain application that needs
	AH (especially with transport mode).  as increasing number of protocol
	documents are relying upon the existence of ESP and AH (like most of
	IPv6 routing protocols) i believe we need AH definitely.

itojun

---

Follow-Ups:

• Re: Death to AH (was Re: SA identification)
• From: Henry Spencer <henry@spsystems.net>
• Re: Death to AH (was Re: SA identification)
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

• Re: Death to AH (was Re: SA identification)
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Death to AH (was Re: SA identification)
• Next by Date: Re: Death to AH (was Re: SA identification)
• Prev by thread: Re: Death to AH (was Re: SA identification)
• Next by thread: Re: Death to AH (was Re: SA identification)
• Index(es):
  • Main
  • Thread