Re: New draft -- IPSEC ESP

[mark@mentat.com (Marc Hasson)]

I haven't read the entire draft yet (I will later today) but skipped straight to
this reference due to yesterday's E-mail on the mandatory algorithms:

 >    conjunction with SAs that are manually keyed.  A compliant ESP
 >    implementation MUST support the following mandatory-to-implement
 >    algorithms (specified in [KBC97] and in [MS97].
 > 
 >              - DES in CBC mode
 >              - HMAC with MD5
 >              - HMAC with SHA-1


 > 
 >    [MS97]    Perry Metzger & W.A. Simpson, "The ESP DES-CBC Transform",
 >              RFC-xxxx, August 1997.


Is MS97 the (expected) RFC version of draft-ietf-ipsec-ciph-des-derived-00.txt?

If so, the mandatory ESP DES_CBC will use an *implicit* IV, one
constructed from the ESP sequence # in the packet ("SN || -SN").  And
it will be optional for a key manager to negotiate some other "flavor"
of either implicit IV (such as the earlier SPI & SN concatenation for
automated key management) or an explicit IV.  I'm not an ISAKMP person
but I don't believe there is an implicit/explicit IV negotiation
parameter there currently though I guess its easy to add more DES
transform id variants for different IV handling, if someone thinks
thats necessary.  I'm *not* suggesting that its necessary, I'm just
trying to confirm what I need to finish building so key management and
the underlying auth/cipher code can do their jobs...

Thanks for any confirmation of the above.
                        
                         
   -- Marc --

---

Follow-Ups:

• Re: New draft -- IPSEC ESP
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Re: FW: private use ISAKMP attributes
• Next by Date: Re: "Default" cipher and authenticator
• Prev by thread: New draft -- IPSEC ESP
• Next by thread: Re: New draft -- IPSEC ESP
• Index(es):
  • Main
  • Thread