At 7:49 PM -0800 11/11/09, Merike Kaeo wrote:
All of the standards I've seen that explicitly define how IPsec is
to be used for authentication (including RFC 4552 -
Authentication/Confidentiality for OSPFv3) say that for
authentication ESP-Null MUST be used and AH MAY.
Which RFCs specify AH specifically as a MUST for authentication/integrity?
Now on the flip side, in practical implementations, most vendors I
know of started off with AH being used for OSPFv3 and I doubt in
practice people are using ESP-Null. Would love to be wrong here :)
- merike
Whoops, I was wrong. I looked at 4552 and they do cite ESP-NULL
(although they never refer to it that way) as a MUST, and AH as a MAY.
I probably was confused because the authors did not understand the
IPsec model as per RFC 4301, when I sat down and talked with them
over 3 years ago, with Sam Hartman in his SEC AD role. I am amazed
that, in the final analysis, they did try to adhere to the 4301 model
(see section 11)!
I don't know if any other apps have done what I thought (erroneously)
had been done here.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
