[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH on a secure gateway

To: ipsec@TIS.COM
Subject: Re: ESP and AH on a secure gateway
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Sat, 26 Oct 1996 16:30:51 -0400
CC: rpluth@nei.com, rogaway@cs.ucdavis.edu
Organization: Theoretical Computer Science Group, UMass-Amherst
References: <9609258462.AA846261751@netx.nei.com>
Sender: ipsec-approval@neptune.tis.com

Rick Pluth writes:
> I am developing a secure gateway, i.e. providing encryption on 
> behalf of my trusted subnet.  This gateway will be using ESP 
> tunnel-mode and AH.
[...]
>  After reading and discussing the appropriate RFC's (1825, 1826, etc),
>  I'm a little confused on how to use a combination of ESP and AH.  To
>  clarify, if I receive a packet from a trusted host, should I
>  authenticate this IP packet, add in the AH, and then encrypt and add
>  the ESP header?  OR,
[...]
> Should I encrypt the received IP packet and add the ESP header, and
>      THEN authenticate this data.  

The latest DES-CBC + HMAC + replay protection draft,
draft-ietf-esp-des-md5-03.txt, specifies encryption over message
authentication (cf. section 3). 

On the other hand, Phil Rogaway discouraged encrypting message
authentication codes in an article last year 
<http://wwwcsif.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt>
in reference to some earlier IPsec transform drafts (cf. section 4). 
His conclusion then was:

	"RECOMMENDATION 4: Mandate that, when an ESP and an AH are
	both used, the scope of the authentication includes the
	encrypted packet (and not vice versa)."

Doubtless this disagreement was discussed here before, but I don't
know how it was (apparently) resolved in favor of ESP over AH.
References, anyone ?

[Incidentally, it's not obvious to me why "it is much more
transparently correct to MAC an enciphered string than to encipher a
MACed one" as Phil R. wrote in April `95. I'd be interested in reading
an explanation of this.]

[...]
>      In the first method, I'm authenticating the trusted host's clear-text
>      packet, while in the second method, I am authenticating the ESP packet
>      my gateway has produced.  I am inclined to say the latter method is
>      more appropriate for a gateway, since I shouldn't be authenticating
>      "someone else's" data.

I think it's useful to consider this in terms of integrity rather than
authentication. By computing a MAC for an outgoing packet, a gateway is
just preserving the integrity of the contents as received. It's not 
claiming authorship or vouching for anything else. I'd say this issue
is orthogonal to the ordering of confidentiality and integrity
preserving transforms.

Lewis	       http://www.cs.umass.edu/~lmccarth/lmkey.asc
"The intensity of the scenes we've been shooting and the amount of
emotional work and concentration that is needed to get through the day
are so mentally and physically exhausting that I'm sure I will need to
be institutionalized when it's over. I understand now why most actors
are alcoholics, drug addicts, or Scientologists" -Madonna L. Ciccone

References:

ESP and AH on a secure gateway

From: "Pluth, Rick" <rpluth@nei.com>

Prev by Date: Re: Suggestion for ESP 3DES MD5 document
Next by Date: Re: Suggestion for ESP 3DES MD5 document
Prev by thread: ESP and AH on a secure gateway
Next by thread: Re: ESP and AH on a secure gateway
Index(es):
- Main
- Thread