[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mandatory Algorithms for ESP?
Charles,
Actually, the DOI is in error here. The text under the DOI ESP section dates
from before SHA-1 was a mandatory authentication algorithm. Since the AH
section (correctly) mandates MD5 and SHA-1, the correct interpretation for ESP
should be that support for both MD5 and SHA-1 are MUST's.
In summary, the following combinations are required by the IPSEC DOI:
AH(HMAC-MD5)
AH(HMAC-SHA)
ESP_NULL(HMAC-MD5)
ESP_NULL(HMAC-SHA)
ESP_DES(<no integrity>)
ESP_DES(HMAC-MD5)
ESP_DES(HMAC-SHA)
>Also, do the terms "algorithm" and "transform" mean the same thing, or is there
>some subtle difference that I need to be aware of?
"Algorithm" is more general than "transform," in the sense that DES is the
base cryptographic algorithm used by the ESP_DES transform. In other words,
the ESP_DES transform describes how to apply the DES algorithm in the ESP
context. The resulting method, including things like how to do padding and IV
generation, results in a defined transform.
Derrell
References: