No - if you read the below pointers carefully it does specify that ESP-Null is a MUST for OSPFv3 authentication protocol while AH is a MAY. AH is mostly superfluous and complicates implementations. Someone on the IPsec mailing list stated that at least two implementations he was aware of used ESP-Null for OSPFv3 where one did not even have any support for AH. And I know I'm probably violating some posting etiquette here but to answer an earlier comment on same thread where someone asked why the hate for AH and what's problem if it's already in all of the production IPsec implementations.......I can firsthand state that for many IPsec interoperability tests AH is hardly if ever tested. I have been a part of some of them as an interested 3rd party (i.e. non vendor) so have seen what gets tested. AH is always last from what I've seen and rarely does anyone ever get to it. [caveat - my experience comes from multivendor consortium type tests and not what vendors may do privately amongst themselves] And FWIW.....I've been doing skunskwork IPsec for past 10 years and right now there's yet another effort to come up with interoperable defaults which is being lead by the aviation industry and is looking at IETF defined profiles, NSA related recommendations, NIST recommendations and ICSA IPsec consortium recommendations. There was a meeting in Seattle last week and many vendors as well as NIST, DoD and other parties participated. If you are at all running IPsec in a major way and care about interoperable defaults and consistent terminology, contact me offline and I'll get you connected to the group. Vendors will only 'fix' their implementations if there's cohesion from customer base. - merike On Nov 14, 2009, at 10:58 PM, Mohacsi Janos wrote:
On Sat, 14 Nov 2009, Jack Kohn wrote:
Hi,
Interesting discussion on the utility of Authentication Header (AH) in IPSecME WG.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
Post explaining that AH even though protecting the source and destination IP addresses is really not good enough.
http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
What do folks feel? Do they see themselves using AH in the future? IMO, ESP and WESP are good enough and we dont need to support AH any more ..
They are planning to make OSPFv3 IPSec authentication useless? Best Regards, Janos Mohacsi