[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH vs. ESP with MD5
>From: baldwin
>1) Is the new ESP suppose to eliminate the need for the AH transform?
No. Requirements were identified for an authentication only protocol,
especially in the IPv6 environment. These requirements could be reexamined,
but are a separate issue from combining confidentiality and integrity in a
single ESP transform.
> - If so, the current draft does not provide any integrity checks
> on the IP header, so an attacker can modify those fields in
> transit. Maybe that is not considered to be a threat.
First no not so, we are not eliminating AH. Integrity checks can be provided
if required on the IP header using AH.
> - If not, then a secure implementation that includes both AH
> and ESP will have to perform two MD5 digests on the payload.
> That is a 33% performance hit for large packets [with the
> original AH-ESP, the payload is scanned once for the AH digest
> and once for the DES-CBC, the new ESP-DES-CBC-MD5 requires
> an additional scan of MD5 on the plaintext payload].
True, an end-system would be foolish to request unnecessary extra
encapsulations. The situation you describe could occur in various tunneling
scenarios that should be supported. For example using ESP end-to-end and AH
between firewalls that are carrying the end-to-end ESP.
>2) Do ESP packets need to be self describing in terms of the features
> they support (e.g., whether replay protection is included)?
No, this has not been the design paradigm for ESP. It is much more efficient
for processing and bits on the wire to have implicit definitions.
> The current design assumes that the SPI determines all the
> required features.
Yes.
Paul
--------------------------------------------------------------