[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: notes from developer's portion of IETF meeting

To: Rob Adams <adams@cisco.com>
Subject: RE: notes from developer's portion of IETF meeting
From: Matt Thomas <matt.thomas@altavista-software.com>
Date: Wed, 23 Apr 1997 21:50:14 -0400
Cc: ipsec@tis.com
In-Reply-To: <01BC4FDF.39536800@Tastid.cisco.com>
Sender: owner-ipsec@ex.tis.com


>Optional integrity for ESP?  No.?  yes...?   I'd say no.

I was one of ones arguing for option integrity for ESP.  Why?
Because Mobile-IPv6 requires authentication of the entire packet
(especially the routing and/or destination option headers) I didn't
want to have to do an AH and then integrity again for ESP.

However I did think of an alternative after the meeting (and since this
topic has been reopened...): Define AH such if AH and ESP are in the
same packet but are not separated by an IPv4 or IPv6 header (ie. not
tunnelled), define the AH such that it stops after the first 12 bytes
of ESP header.  If this was the case, I would not mind having ESP always
include integrity since I would be not doing integrity twice over the
entire packet.

>Optional confidentiality for ESP?   I'd also say no. 

Agreed.
-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

Follow-Ups:

RE: notes from developer's portion of IETF meeting

From: Stephen Kent <kent@bbn.com>

References:

RE: notes from developer's portion of IETF meeting

From: Rob Adams <adams@cisco.com>

Prev by Date: RE: notes from developer's portion of IETF meeting
Next by Date: RE: notes from developer's portion of IETF meeting
Prev by thread: RE: notes from developer's portion of IETF meeting
Next by thread: RE: notes from developer's portion of IETF meeting
Index(es):
- Main
- Thread