On Jan 2, 2012, at 2:11 AM, Michael Richardson wrote:
> This property is simply undesireable for many security systems,
> including all VPNs.
> Having said all of this, I agree that for 99% of "Use IPsec"
> statements, ESP-NULL is likely the correct choice.
I don't think you actually meant to say that, right?
Most of the "Use IPsec" statements are followed by "and you'd better have 128 bits of security in the encryption".
Having said that, there was a thread some months ago about making a modified AH that does not MAC the stuff in previous headers - only its own fields and what follows. That would solve the "AH does not work through NAT" problem, but would make it even more indistinguishable from ESP-NULL. Except what you said about it being just another header.