[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: IPSEC WORKING GROUP LAST CALL

To: "'ipsec'" <ipsec@tis.com>
Subject: FW: IPSEC WORKING GROUP LAST CALL
From: "Patel, Baiju V" <baiju.v.patel@intel.com>
Date: Fri, 27 Feb 1998 14:57:19 -0800
Sender: owner-ipsec@ex.tis.com


Mark help me understand what is in the latest documents
on the issues I had raised and I appreciate him sending it
to me in a private mail. I am forwarding it to the mailist
list for everyone's benefit.

Once again, thanks Mark.

Baiju
> -----Original Message-----
> From:	mark@mentat.com [SMTP:mark@mentat.com]
> Sent:	Friday, February 27, 1998 12:26 PM
> To:	baiju.v.patel@intel.com
> Subject:	RE: IPSEC WORKING GROUP LAST CALL
> 
> Baiju,
> 
> I'm sending this just to you, not the list....  Please read the specs
> more carefully to answer your very basic questions, see my comments
> below for clues.
> 
>  > Transform ID Value 
>  > ------------ ----- 
>  > RESERVED 0-1 
>  > AH_MD5 2 
>  > AH_SHA 3 
>  > AH_DES 4.
>  > 
>  > I do not see an AH NULL here.
> 
> Correct.  We're talking about AH, not ESP there.  It is not allowed to
> have a NULL or no authentication with the authentication header (AH),
> thats
> its purpose in life!
> 
>  > 
>  > ESP specs to not have authentication data optional. therefore, we
> do 
>  > need this field. If we indeed managed to specify null
> authentication 
>  > what will be the length of this field and what would we put there.
> 
> Please read draft-ietf-ipsec-esp-v2-03.txt and note in particular the
> following section.  There are also numerous references throughout the
> document to this issue of ESP without authentication.
> 
>   2.7  Authentication Data
>   
>      The Authentication Data is a variable-length field containing an
>      Integrity Check Value (ICV) computed over the ESP packet minus
> the
>      Authentication Data.  The length of the field is specified by the
>      authentication function selected.  The Authentication Data field
> is
>      optional, and is included only if the authentication service has
> been
>      selected for the SA in question.  The authentication algorithm
>      specification MUST specify the length of the ICV and the
> comparison
>      rules and processing steps for validation.
> 
> 
> Also, note the following text from section 4.5 of the document
> draft-ietf-ipsec-ipsec-doi-07.txt.  This explains how to have ESP
> negotiated without an authentication algorithm.
> 
>            There is no default value for Auth Algorithm, as it must be
>            specified to correctly identify the applicable AH or ESP
>            transform, except in the following case.
> 
>            When negotiating ESP without authentication, the Auth
>            Algorithm attribute MUST NOT be included in the proposal.
> 
> 
> 
> Hope this helps!  Perhaps once you're re-read these documents
> carefully
> you'll see how to use AH+ESP effectively or perhaps decide ESP alone
> is sufficient, perhaps in tunnel mode.
>                         
>                          
>    -- Marc --

Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to
Next by Date: Re: IPSEC WORKING GROUP LAST CALL
Prev by thread: [Fwd: Last Call: Security Architecture for the Internet Protocol to]
Next by thread: Re: IPSEC WORKING GROUP LAST CALL
Index(es):
- Main
- Thread