[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AH/ESP drafts
Folks,
Here is a summary of the changes we've made to the IPsec AH and ESP
drafts. Please accept our apologies if we've missed any
comments/corrections.
At the request of the WG Chairs, we are sending the draft to both
the IETF secretariat and directly to the mailing list (to minimize
delays.) This latest versions are:
draft-ietf-ipsec-esp-v2-04.txt
draft-ietf-ipsec-auth-header-05.txt
Thank you,
Karen
===========================================================================
AH Changes
Section 3.3.3 Integrity Check Value Calculation -- P. Goli
Changed to be consistent with Section 3.3.3.2.1 in saying that
the padding is included in the ICV calculation:
The AH ICV is computed over:
o IP header fields that are either immutable in
transit or that are predictable in value upon
arrival at the endpoint for the AH SA
o the AH header (Next Header, Payload Len,
Reserved, SPI, Sequence Number, and the
Authentication Data (which is set to zero for
this computation))
o the upper level protocol data, which is
assumed to be immutable in transit
to:
The AH ICV is computed over:
o IP header fields that are either immutable in
transit or that are predictable in value upon
arrival at the endpoint for the AH SA
o the AH header (Next Header, Payload Len,
Reserved, SPI, Sequence Number, and the
Authentication Data (which is set to zero for
this computation), and explicit padding bytes
(if any))
o the upper level protocol data, which is
assumed to be immutable in transit
===========================================================================
ESP Changes
1. Typos/Clarifications -- per J. Daily
Section 3.4.1 Reassembly
Added "received" after the words "date/time" in the list of
items to log for an auditable event.
Added "Sequence Number" to the list of items to log for an
auditable event
Section 3.4.2 Security Association Lookup
Added "received" after the words "date/time" in the list of
items to log for an auditable event.
Added "Sequence Number" to the list of items to log for an
auditable event
Section 3.4.3 Sequence Number Verification
Added "received" after the words "date/time" in the list of
items to log for an auditable event.
Section 3.4.4 Integrity Check Value Verification
Added "Sequence Number" to the list of items to log for an
auditable event
2. Modify to make ESP encryption optional -- per community and WG-chairs
------------------------------------------------------------------------
Section 1. Introduction
Changed 3rd paragraph from:
ESP is used to provide.... Data origin authentication
and connectionless integrity are joint services
(hereafter referred to jointly as "authentication) and
are offered as an option in conjunction with
confidentiality....
to:
ESP is used to provide.... Data origin authentication
and connectionless integrity are joint services
(hereafter referred to jointly as "authentication) and
are offered as an option in conjunction with (optional)
confidentiality.... Note that although both
confidentiality and authentication are optional, at
least one of them MUST be selected.
Section 3.2 Algorithms
Added sentence to 1st paragraph
Note that although both confidentiality and
authentication are optional, at least one of these
services MUST be selected hence both algorithms MUST NOT
be simultaneously NULL.
Section 3.3.2 Packet Encryption
Changed leadin sentence from:
The sender:
1. encapsulates....
2. adds...
3. encrypts...
to
If confidentiality is selected, then the sender:
1. encapsulates....
2. adds...
3. encrypts...
Section 3.4.5 Packet Decryption
Changed leadin sentence from:
The receiver:
1. decrypts....
to
If confidentiality has been selected, then the receiver:
1. decrypts....
Section 5. Conformance Requirements
Changed list of algorithms from:
- DES in CBC mode [MD97]
- HMAC with MD5 [MG97a]
- HMAC with SHA-1 [MG97b]
to:
- DES in CBC mode [MD97]
- HMAC with MD5 [MG97a]
- HMAC with SHA-1 [MG97b]
- NULL Authentication algorithm
- NULL Encryption algorithm
Added the text:
Since ESP encryption and authentication are optional,
support for the 2 "NULL" algorithms is required to
maintain consistency with the way these services are
negotiated. NOTE that while authentication and
encryption can each be "NULL", they MUST NOT both be
"NULL".
Follow-Ups: