[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: notes from developer's portion of IETF meeting

To: Rob Adams <adams@cisco.com>
Subject: RE: notes from developer's portion of IETF meeting
From: Stephen Kent <kent@bbn.com>
Date: Mon, 28 Apr 1997 14:28:46 -0400
Cc: "ipsec@tis.com" <ipsec@tis.com>, "'Hilarie Orman'" <ho@earth.hpc.org>
In-Reply-To: <01BC4FDF.39536800@Tastid.cisco.com>
Sender: owner-ipsec@ex.tis.com

Rob,

	Another message addresses the question of whether ESP w/o crypto
authentication is meaningful, so I'll just comment on ESP w/o encryption.
The issue I have raised is not so much the raw speed of the algorithm, but
rather the overhead of data manipulation related to the fields in the IP
header that have to be copied and those that have to be zeroed and the
logic to make sure we treat each one appropriately.

	AH is a somewhat awkward protocol because it reaches forward in the
protocol stream, in a selective fashion, unlike ESP which is a traditional
encapsulation protocol and "cleaner."  But, AH can be appropriate in some
circumstances, as I have cited in previous messages.  However, some of the
examples cited for AH vs. encryptionless ESP are not good ones.  For
example, if we have a tunnel-mode SA between two IPSEC sites, the outer IP
header doesn't seem to require protection and thus ESP-based authentication
would be just fine.

So, no, it's not settled yet ...

Steve

References:

RE: notes from developer's portion of IETF meeting

From: Rob Adams <adams@cisco.com>

Prev by Date: Re: notes from developer's portion of IETF meeting
Next by Date: Re: notes from developer's portion of IETF meeting
Prev by thread: RE: notes from developer's portion of IETF meeting
Next by thread: RE: notes from developer's portion of IETF meeting
Index(es):
- Main
- Thread