[Cryptography] Two quick questions about IPsec AH

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jan 6 23:31:17 EST 2022

Phillip Hallam-Baker <phill at hallambaker.com> writes:

>I remember sitting in an IPSEC meeting at the Dallas IETF and hearing the AD
>call this 'a feature'.

Yup, I remember that too (not at the Dallas IETF but elsewhere).  The thinking
was "IPsec will be bigger than NAT so if we make sure it breaks NAT, NAT will
go away".

This anti-NAT crusade within the IETF persisted for a long, long time.  Look
at RFC 3424 for example, which invented a childish backronym "UNSAF" to refer
to NAT-transversal mechanisms so it can talk about UNSAF clients and UNSAF
servers throughout.  Section 4 is particular amusing, describing the various
levels of self-flagellation that any UNSAF mechanism is required by the IAB to
subject itself to.


More information about the cryptography mailing list