On Wed, Jun 10, 2020 at 11:03:55AM +0200, Tobias Brunner wrote: > Hi Eric, > > > + Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is > > + better to use ESP only, using an AEAD cipher such as AES-GCM. > > What's NOT RECOMMENDED according to the RFC is the combination of ESP+AH > (i.e. use ESP only for confidentiality and AH for authentication), not > AH by itself (although the RFC keeps ENCR_NULL as a MUST because ESP > with NULL encryption is generally preferred over AH due to NATs). > > Regards, > Tobias Okay, I'll drop this paragraph. I'm surprised that authentication-only is still considered a valid use case though. - Eric