I prefer letting the market deprecate things. If no one uses AH, someday the IETF can mark it as "Historic," but long before that there will come a time when no one is interested in doing any more work on it. I was at the IETF IPsec WG meeting (in Los Angeles in the mid-90s) when AH would have died except once Microsoft strongly endorsed it, everyone else took the anti-MSFT viewpoint. Also, don't confuse "almost no one uses" for "no one uses" -- if AH is useful for someone, there is no harm in having a spec that tells them how to do it, and hopefully that spec is well written such that they can interoperate with other implementations. AH is less efficient than ESP because you have to buffer a whole packet prior to calculating the Integrity Check Value that goes in the AH [header], which goes at the front. The calculations you have to do involve parts of the packet that are both before and after the AH [header], including the packet's payload. Once you calculate the Integrity Check Value (ICV) you then stuff it in the appropriate part of the AH and send the packet. ESP's cryptographic goodness is appended at the end (and the packet is encrypted up until that point), and you can be doing a running cryptographic algorithm as the packet is streamed out (encrypted after the IP header and ESP header), then append the right amount of padding and the ESP "trailer" at the end. This site has some nice graphical depictions of AH and ESP (including the tunnel-mode vs. transport-mode that I didn't touch on: http://unixwiz.net/techtips/iguide-ipsec.html) Cheers, ~tom On Fri, Nov 13, 2009 at 18:27, Jack Kohn <kohn.jack@gmail.com> wrote:
So who uses AH and why?
Jack
On Sat, Nov 14, 2009 at 6:19 AM, Owen DeLong <owen@delong.com> wrote:
I've never seen anyone use AH vs. ESP. I've always used ESP and so has every other IPSEC implementation I've seen anyone do.
Owen
On Nov 13, 2009, at 4:22 PM, Jack Kohn wrote:
Hi,
Interesting discussion on the utility of Authentication Header (AH) in IPSecME WG.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
Post explaining that AH even though protecting the source and destination IP addresses is really not good enough.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
What do folks feel? Do they see themselves using AH in the future? IMO, ESP and WESP are good enough and we dont need to support AH any more ..
Jack