AH removed from FreeS/WAN
The largely unused AH (Authentication Header) has been removed from FreeS/WAN.
FreeS/WAN is still able to authenticate packets via ESP (Encapsulating
Security Protocol). Formerly the default, this is now the only
available method. The change will affect few users, and most of those
affected can set their peer IPsec implementation to use ESP authentication.
FreeS/WAN aims to be a lightweight security product,
free from extra features which introduce increased complexity, and
security risk. As a result it has historically offered a limited subset of the
IPsec protocols, and current development continues to streamline its
Concerning AH in particular, Niels Ferguson and Bruce
Schneier have argued in A Cryptographic Evaluation of IPsec
that the choice of two authentication methods, AH and ESP, adds complexity
(and therefore increased security risk) to the IPsec protocols.
On this basis, they recommended that AH be removed from IPsec, and that ESP
be modified to provide authentication in every case. FreeS/WAN 2.05 has
put these recommendations into practise.
As of release 2.05,
it is no longer legal to set auth=ah in FreeS/WAN's
ipsec.conf configuration file, or to use its ah-specific options:
ah, ahkey, ahreplay_window and leftahspi.
Behind the scenes, AH no longer appears in KLIPS (FreeS/WAN's kernel component)
or ipsec whack (the scripts that control FreeS/WAN's pluto