[c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?

[Nick Hilliard]

On 26/01/2013 19:47, Garry wrote:
> turns out after all that the AH seems to be the cause of the problem

AH will certainly stop ipsec + NAT-T from working, no doubt about it.  If
you're cryptographically authenticating the header and the nat-t device
then modifies the header, it's game over.  The two things are fundamentally
incompatible and unless you hand over your crypto keys to the nat-t device,
there is nothing you can do to fix this.

Regular as rain, people suggest formally deprecating in the IETF ipsec
working group, but it looks like there is a hard core of people on that WG
who feel that it still serves some purpose, and who actively stamp their
feet every time someone suggests retiring it, e.g.

http://www.ietf.org/mail-archive/web/ipsec/current/msg07699.html

Personally, I would be very happy if AH disappeared because it does nothing
except cause trouble.

Nick