On Nov 11, 2009, at 3:56 PM, Stephen Kent wrote:
> Jack,
>
> I would have no problem deprecating AH in the context of the IPsec
> architecture document, if others agree. It is less efficient than ESP-NULL.
> However, other WGs have cited AH as the IPsec protocol of choice for
> integrity/authentication in their environments, so there will be a need to
> coordinate with them, and it may be unacceptable to kill AH as a standalone
> protocol for them.
I believe that most such uses date from the "just use IPsec" era of security
design. I further suspect that it is very rarely used or even implemented in
practice, and that in many cases it wouldn't in fact have been usable.
Yes, as a matter of due diligence someone needs to check if it's still mandated
for anything, and if so figure out what to do. But I'd be very happy if AH
were to go awa; I concluded in 1995 that it was pretty useless.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
