<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 1/6/2022 6:42 AM, Phillip
Hallam-Baker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMm+LwibAzDveMx5Zh69Ya6z-X1rdOKQs4K3qQOYhd7Tvcep_Q@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">+1 to the rest of the discussion, but I want to go back to the original
question:
On Tue, Jan 4, 2022 at 1:33 AM R Perlman <a class="moz-txt-link-rfc2396E" href="mailto:radiajpc@gmail.com" moz-do-not-send="true"><radiajpc@gmail.com></a> wrote:
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">1) Is anyone using it, or are they just using ESP?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">I am not sure whether AH is being used, but I rather suspect that it is not
because of some other design decisions in IPSEC.
IPSEC as specified in the RFCs was simply unusable because it didn't work
through NAT. The IPSEC authentication included the source address and that
caused connections to fail through NAT boxes.
I remember sitting in an IPSEC meeting at the Dallas IETF and hearing the
AD call this 'a feature'. The notion at the time being that NAT was evil
and it was a good thing if IPSEC didn't work with NAT. That was the first
time I had heard of NAT (I connected through dialup at home). I went out
and bought a NAT box the next week so we could share a single telephone
line and save $30 a month.</pre>
</blockquote>
<p>Definitely an issue. AH does not work with NAT. ESP mode is
better, because it does work with some NAT -- those that have been
upgraded to support it. But then, not all NATs have been, so in
practice we end up with IPSEC over UDP (RFC 3948), or even SSL
VPN.</p>
<p>But yes, I remember long discussions about deployment in
environments where encrypting the payload was not desirable, and
it ends up being simpler to use ESP with an AUTH only algorithm
than to use AH.</p>
<p>-- Christian Huitema<br>
</p>
</body>
</html>