Steve, > I would have no problem deprecating AH in the context of the IPsec > architecture document, if others agree. It is less efficient than > ESP-NULL. However, other WGs have cited AH as the IPsec protocol of > choice for integrity/authentication in their environments, so there > will be a need to coordinate with them, and it may be unacceptable to > kill AH as a standalone protocol for them.
I agree that it is a trifle too early to start deprecating AH, though I wouldn't mind doing so. OTOH, don't most WGs already suggest AH as a MAY, and ESP-NULL as a MUST? In any case what should be the stand for the newer work that comes out of these WGs. Should they spell out support for AH, or should they just be talking about ESP (or ESP-NULL or WESP)? If we want to deprecate AH, or at least discourage its use in the context of the IPSec architecture in the near future then shouldn't we be working on this? > > I am not comfortable with the notion of ESP with WESP. WESP adds > more per-packet overhead than ESP, and some users are very sensitive > to this aspect of IPsec use. Also, other WG rely on ESP and we would > need to convince them that the packet inspection features of WESP > merit making changes to their standards, which might be a tough sell. I agree. However, we should start socializing WESP in other WGs so that folks are at least aware of it. Cheers, Manav > So, I cannot support this suggestion. > > Steve > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
