[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)




  I got one response to my question: 
    "where is it written that you must implement AH for IPv4"

  (IPv6 specs say that you must do so to be v6 compliant, but that isn't
  in the IPsec specs)

  The answer I got from Jesse Walker of Intel was:

>RFC 2407, clauses 4.4.3.1 and 4.4.3.2, state explicitly that all
>implementations claiming conforming to the IP DOI must implement AH_MD5 and
>AH_SHA.

  It seems kind of funny to me that we should state that AH is mandatory
in this part of the spec. In particular, it is in a/the *keying* draft.

  If removing this one "MUST" makes VPN people stop complaining, then this
is pretty simple. I'm still haven't received a really convincing reason why
VPN vendors didn't cheat here.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@solidum.com   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


Follow-Ups: