Re: rework IPsec intro

To: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Subject: Re: rework IPsec intro
From: Michael Richardson <mcr%sandelman.ca@localhost>
Date: Wed, 12 Jun 2024 17:52:32 -0400

Andrew Cagney <andrew.cagney%gmail.com@localhost> wrote:
    >> Good work.  Maybe, mention that AH is fundamentally incompatible with
    >> NAT44, and as a result, as had essentially zero deployment outside of
    >> limited domains.  (see RFC8799)

    > Thanks for the addition, I'll add it.  I was trying to be subtle and
    > only hint at AH being dead.  Screw that :-)

As an advocate for AH use, it died when we tried to use it 15 years ago in
SEND (Securing Neighbor Discovery), but we couldn't, because we defined the
behaviour of unknown-SPI wrong.  For ESP, error.
For AH, pretend there is no AH and keep going.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr%sandelman.ca@localhost  http://www.sandelman.ca/        |   ruby on rails    [

References:
- rework IPsec intro
  - From: Andrew Cagney
- Re: rework IPsec intro
  - From: Michael Richardson
- Re: rework IPsec intro
  - From: Andrew Cagney

Prev by Date: Re: rework IPsec intro
Next by Date: npflog latency
Previous by Thread: Re: rework IPsec intro
Next by Thread: npflog latency
Indexes:

Home | Main Index | Thread Index | Old Index