Tero Kivinen wrote: > > > > - Section 2.1, suggesting that AH might have more bugs doesn't > > > > sound > > > > like an argument that belongs in this document. > > > > > > It was one of the arguments which was given when people said why > > > they do not want to use AH. > > > > Nevertheless, as it's currently written, it sounds more like FUD > > than a reasonable argument. Let's just delete it. > > Ok, removed the ", meaning it might have more bugs than ESP > implementations" part. Would this text be ok: > > AH has also quite complex processing rules compared to ESP when > calculating the ICV, including things like zeroing out mutable > fields, also as AH is not as widely used than ESP, the AH support > is not as well tested in the interoperability events. > > or do you think we should leave only the complexcity issue: > > AH has also quite complex processing rules compared to ESP when > calculating the ICV, including things like zeroing out mutable > fields.
I'm OK with either one (but AH is a very stable and mature protocol, so while it's not as widely used, I would expect the level of testing has been quite substantial...). > > But the comparison to IPv6 is very misleading here -- I think many > > folks would argue that for IPv6 it's been easier to update the end > > nodes (many of which do support IPv6 today) than the intermediate > > nodes (when e.g. travelling, how often do you find that the > > routers/whatever in the access network actually provide v6?). And > > probably some folks would say this argument is too simplistic and > > wrong, too -- either way, it's not a discussion for this document. > > Hmm... true... Ok. I removed the IPv6 vs NAT text so the pragraph > looks like this: > > All of the aforementioned drafts require modification to ESP, > which requires that all end nodes need to be modified before > intermediate devices can assume that this new ESP format is in > use. Updating end nodes will require lots of time. An example of > slow end-node deployment is IKEv2. Considering an implementation > that requires both IKEv2 and a new ESP format, it would take > several years, possibly as long as a decade, before widespread > deployment. OK. > I will submit new draft tomorrow (before I leave for one week long > vacation). I'm leaving for one-week-long trip tomorrow (Friday), so if there's any chance you could get an update in today, I could ask the secretariat to start IETF last call :-) Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
