[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mandatory Algorithms for ESP?
In reviewing the recent drafts, I found a discrepancy in the
mandatory-to-support algorithms (transforms) between
"Domain of Interpetation" (....doi-08.txt) and "ESP" (...esp-v2.04.txt). In
the ESP draft, it states in Section 5 that a
compliant ESP implementation MUST support DES in CBC Mode, HMAC with MD5, HMAC
with SHA-1, NULL
encryption, and NULL authentication. But in the DOI draft, section 4.4.4, the
only mandatory-to-support transforms
are NULL encryption and DES with HMAC_MD5.
I'm guessing that the information in the DOI draft is valid, and that the ESP
draft should be clarified to be consistent.
If ESP were the controlling draft, there would be 5 mandatory-to-implement
algorithms: ESP(DES-CBC, HMAC-MD5),
ESP(DES-CBC, HMAC-SHA), ESP(DES-CBC, NULL), ESP(NULL, HMAC-MD5), and
ESP(NULL, HMAC-SHA).
This seems excessive, to say the least.
However, in the DOI, we should probably also specify a mandatory-to-implement
authentication attribute for use
with NULL encryption, since ESP(NULL, NULL) is an illegal case.
To net it out, I'm working on the assumption that the mandatory-to-implement
algorithms (transforms?) for use in ESP are:
a) ESP(DES-CBC, HMAC-MD5) and b) ESP(NULL, HMAC-MD5). Is this correct?
Also, do the terms "algorithm" and "transform" mean the same thing, or is there
some subtle difference that I need to be aware of?
Thanks,
Charlie
____________________________
Charles A Kunzinger (kunzinge@us.ibm.com)
TCP/IP Technology Management, JDGA/501, RTP
Phone: Tieline 8-444-4142 , External 1-919-254-4142
Fax: Tieline 8-444-6243, External 1-919-254-6243
VM: IBMUSM27(KUNZINGE)
Follow-Ups: