[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH/ESP drafts



Folks,

Here is a summary of the changes we've made to the IPsec AH and ESP
drafts.  Please accept our apologies if we've missed any
comments/corrections.

At the request of the WG Chairs, we are sending the draft to both
the IETF secretariat and directly to the mailing list (to minimize
delays.)   This latest versions are:
	draft-ietf-ipsec-esp-v2-04.txt
	draft-ietf-ipsec-auth-header-05.txt

Thank you,
Karen

===========================================================================

AH Changes

Section 3.3.3  Integrity Check Value Calculation -- P. Goli

	Changed to be consistent with Section 3.3.3.2.1 in saying that
	the padding is included in the ICV calculation:
		The AH ICV is computed over:
		        o IP header fields that are either immutable in
		          transit or that are predictable in value upon
		          arrival at the endpoint for the AH SA
		        o the AH header (Next Header, Payload Len,
		          Reserved, SPI, Sequence Number, and the
		          Authentication Data (which is set to zero for
		          this computation))
		        o the upper level protocol data, which is
		          assumed to be immutable in transit

	to:
		The AH ICV is computed over:
		        o IP header fields that are either immutable in
		          transit or that are predictable in value upon
		          arrival at the endpoint for the AH SA
		        o the AH header (Next Header, Payload Len,
		          Reserved, SPI, Sequence Number, and the
		          Authentication Data (which is set to zero for
		          this computation), and explicit padding bytes
		          (if any))
		        o the upper level protocol data, which is
		          assumed to be immutable in transit

===========================================================================
ESP Changes

1. Typos/Clarifications -- per J. Daily

Section 3.4.1  Reassembly

	Added "received" after the words "date/time" in the list of
	items to log for an auditable event.

	Added "Sequence Number" to the list of items to log for an
	auditable event

Section 3.4.2  Security Association Lookup

	Added "received" after the words "date/time" in the list of
	items to log for an auditable event.

	Added "Sequence Number" to the list of items to log for an
	auditable event
	

Section 3.4.3  Sequence Number Verification

	Added "received" after the words "date/time" in the list of
	items to log for an auditable event.

Section 3.4.4  Integrity Check Value Verification

	Added "Sequence Number" to the list of items to log for an
	auditable event

 
2. Modify to make ESP encryption optional -- per community and WG-chairs
------------------------------------------------------------------------

Section 1. Introduction

	Changed 3rd paragraph from:

		ESP is used to provide.... Data origin authentication
		and connectionless integrity are joint services
		(hereafter referred to jointly as "authentication) and
		are offered as an option in conjunction with
		confidentiality....

	to:

		ESP is used to provide.... Data origin authentication
		and connectionless integrity are joint services
		(hereafter referred to jointly as "authentication) and
		are offered as an option in conjunction with (optional)
		confidentiality.... Note that although both
		confidentiality and authentication are optional, at
		least one of them MUST be selected.

Section 3.2 Algorithms

	Added sentence to 1st paragraph 

		Note that although both confidentiality and
		authentication are optional, at least one of these
		services MUST be selected hence both algorithms MUST NOT
		be simultaneously NULL.

Section 3.3.2 Packet Encryption

	Changed leadin sentence from:

		The sender:
			1. encapsulates....
			2. adds...
			3. encrypts...

	to
		If confidentiality is selected, then the sender:
			1. encapsulates....
			2. adds...
			3. encrypts...

Section 3.4.5  Packet Decryption

	Changed leadin sentence from:

		The receiver:
		        1. decrypts....

	to
		If confidentiality has been selected, then the receiver:
		        1. decrypts....

Section 5. Conformance Requirements

	Changed list of algorithms from:
		- DES in CBC mode [MD97]
		- HMAC with MD5 [MG97a]
	        - HMAC with SHA-1 [MG97b]

	to:
		- DES in CBC mode [MD97]
		- HMAC with MD5 [MG97a]
	        - HMAC with SHA-1 [MG97b]
        	- NULL Authentication algorithm
	        - NULL Encryption algorithm

	Added the text:

		Since ESP encryption and authentication are optional,
		support for the 2 "NULL" algorithms is required to
		maintain consistency with the way these services are
		negotiated.  NOTE that while authentication and
		encryption can each be "NULL", they MUST NOT both be
		"NULL".


Follow-Ups: