[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC WORKING GROUP LAST CALL

To: "Patel, Baiju V" <baiju.v.patel@intel.com>
Subject: RE: IPSEC WORKING GROUP LAST CALL
From: Stephen Kent <kent@bbn.com>
Date: Sat, 28 Feb 1998 11:53:17 -0500 (EST)
Cc: "Patel, Baiju V" <baiju.v.patel@intel.com>, "'ipsec'" <ipsec@tis.com>
In-Reply-To: <A1B6CB375930D11188D100A0C95A36BD011477A2@FMSMSX31>
Sender: owner-ipsec@ex.tis.com

Baiju,


>My comments:
>
>If I read above statements carefully, it seems that Steve Bellovin is
>saying that authentication is
>mandatory for ESP which is different from what Steve Kent says.

In this case, Steve kent is right. I read Steve Bellovin's remarks to be
emphasizing the importance of authentication in conjunction with
encryption, and that it would be dangerous to employ one without the other.
The ESP intro says excatly that, but because one could choose to achieve
authentication by various combinations of the IPsec protocols, it is not
mandated that ESP always enable authentication.

>I have been reading documents to figure out how you
>can specify not to use authentication with ESP

In the ESP spec, the introduction clearly states that authentication is an
optional feature, while confidentiality is mandatory.  Section 2.7 goes on
to state that the ICV is an optional field that is present only if
authentication is selected for the SA.  So, the issues seems to be whether
the DOI provides the requisite "transform identifiers" for negotiating this
combination of services.  If not, then we have another mismatch between the
documents, but it shouild be easy to fix.

Steve

Prev by Date: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
Next by Date: Re: LAN-to-LAN IPSEC tunnels over the Internet
Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
Next by thread: Inconsistencies/Problems I have seen...
Index(es):
- Main
- Thread