[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mandatory Algorithms for ESP?

To: Charles Kunzinger <kunzinge@us.ibm.com>
Subject: Re: Mandatory Algorithms for ESP?
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Thu, 19 Mar 1998 09:39:13 -0800
cc: ipsec@tis.com
In-reply-to: Your message of "Thu, 19 Mar 1998 09:58:53 EST." <5040300013972416000002L062*@MHS>
Sender: owner-ipsec@ex.tis.com

Charles,

Actually, the DOI is in error here.  The text under the DOI ESP section dates
from before SHA-1 was a mandatory authentication algorithm.  Since the AH
section (correctly) mandates MD5 and SHA-1, the correct interpretation for ESP
should be that support for both MD5 and SHA-1 are MUST's.

In summary, the following combinations are required by the IPSEC DOI:

   AH(HMAC-MD5)
   AH(HMAC-SHA)

   ESP_NULL(HMAC-MD5)
   ESP_NULL(HMAC-SHA)
   ESP_DES(<no integrity>)
   ESP_DES(HMAC-MD5)
   ESP_DES(HMAC-SHA)

>Also, do the terms "algorithm" and "transform" mean the same thing, or is there
>some subtle difference that I need to be aware of?

"Algorithm" is more general than "transform," in the sense that DES is the
base cryptographic algorithm used by the ESP_DES transform.  In other words,
the ESP_DES transform describes how to apply the DES algorithm in the ESP
context.  The resulting method, including things like how to do padding and IV
generation, results in a defined transform.

Derrell

References:

Mandatory Algorithms for ESP?

From: Charles Kunzinger <kunzinge@us.ibm.com>

Prev by Date: Please review draft-ietf-pppext-l2tp-sec-03.txt
Next by Date: Re: IKE Loose Ends?
Prev by thread: Re: Mandatory Algorithms for ESP?
Next by thread: IKE Loose Ends?
Index(es):
- Main
- Thread