Re: ISAKMP null transforms

["David P. Kemp" <dpkemp@missi.ncsc.mil>]

> Ok. You don't want to do AH. I assume you want to do something though or 
> else why go through the motions. So, let's say you want to do ESP without
> AH (a bad idea, but for the sake of discussion, let's say that you do).

> >True, but I'm suggesting that an accepted "null" AH proposal would be
> >identical to accepting a proposal with no AH.
> 
> Why obfuscate things with a "null" proposal? You don't want AH, then don't
> put it in the proposal. Or do you see some distinction between a proposal
> without AH and a proposal with a "null AH" specified? As a receiver, should
> I view those two differently?


I understand Brett's question, but don't understand the answer.
Let's say, for the sake of discussion, that your policy is that you
require integrity protection (AH), but that you would prefer not
to encrypt but are capable of encryption if the peer requires it.
Shouldn't it be legitimate to request:

  AH-alg1   (ESP-null, ESP-alg1, ESP-alg2)

The difference to the receiver is that in one case (no ESP proposed)
no connection will be established, and in the other case (ESP list as
shown above) it will (assuming either alg1 or alg2 are acceptable to
the receiver).

The benefit of the null capability is that if both peers prefer no
encryption (but do require AH), they can establish an AH-only connection
without the overhead of encryption.  Yet each of them are also able to
establish encrypted connections with different peers, if those other
peers require it.

Forgive me for not understanding if this can be accomplished in some
other way.

---

• Prev by Date: Re: ISAKMP null transforms
• Next by Date: Re: Network Layer Encryption History and Prior Art
• Prev by thread: Re: ISAKMP null transforms
• Next by thread: adding port number to ISAKMP Internet DOI ID's
• Index(es):
  • Main
  • Thread