[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: IPSEC WORKING GROUP LAST CALL
Mark help me understand what is in the latest documents
on the issues I had raised and I appreciate him sending it
to me in a private mail. I am forwarding it to the mailist
list for everyone's benefit.
Once again, thanks Mark.
Baiju
> -----Original Message-----
> From: mark@mentat.com [SMTP:mark@mentat.com]
> Sent: Friday, February 27, 1998 12:26 PM
> To: baiju.v.patel@intel.com
> Subject: RE: IPSEC WORKING GROUP LAST CALL
>
> Baiju,
>
> I'm sending this just to you, not the list.... Please read the specs
> more carefully to answer your very basic questions, see my comments
> below for clues.
>
> > Transform ID Value
> > ------------ -----
> > RESERVED 0-1
> > AH_MD5 2
> > AH_SHA 3
> > AH_DES 4.
> >
> > I do not see an AH NULL here.
>
> Correct. We're talking about AH, not ESP there. It is not allowed to
> have a NULL or no authentication with the authentication header (AH),
> thats
> its purpose in life!
>
> >
> > ESP specs to not have authentication data optional. therefore, we
> do
> > need this field. If we indeed managed to specify null
> authentication
> > what will be the length of this field and what would we put there.
>
> Please read draft-ietf-ipsec-esp-v2-03.txt and note in particular the
> following section. There are also numerous references throughout the
> document to this issue of ESP without authentication.
>
> 2.7 Authentication Data
>
> The Authentication Data is a variable-length field containing an
> Integrity Check Value (ICV) computed over the ESP packet minus
> the
> Authentication Data. The length of the field is specified by the
> authentication function selected. The Authentication Data field
> is
> optional, and is included only if the authentication service has
> been
> selected for the SA in question. The authentication algorithm
> specification MUST specify the length of the ICV and the
> comparison
> rules and processing steps for validation.
>
>
> Also, note the following text from section 4.5 of the document
> draft-ietf-ipsec-ipsec-doi-07.txt. This explains how to have ESP
> negotiated without an authentication algorithm.
>
> There is no default value for Auth Algorithm, as it must be
> specified to correctly identify the applicable AH or ESP
> transform, except in the following case.
>
> When negotiating ESP without authentication, the Auth
> Algorithm attribute MUST NOT be included in the proposal.
>
>
>
> Hope this helps! Perhaps once you're re-read these documents
> carefully
> you'll see how to use AH+ESP effectively or perhaps decide ESP alone
> is sufficient, perhaps in tunnel mode.
>
>
> -- Marc --