[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Last call and the DOI

To: ipsec@tis.com
Subject: Last call and the DOI
From: Ben Rogers <ben@Ascend.COM>
Date: Fri, 20 Mar 1998 17:35:24 -0500 (EST)
Reply-To: ben@Ascend.COM (Ben Rogers)
Sender: owner-ipsec@ex.tis.com


Interestingly, ESP_DES or ESP_3DES with no auth attribute does not mean
the same as any of the other ESP_* without an auth attribute.  Namely,
the following portions of DOI-08 prevent us from negotiating an DES or
3DES transform without authentication.

Perhaps this should be fixed?

4.4.4.2 ESP_DES

   The ESP_DES type specifies a generic DES transform using DES-CBC.
   The actual protection suite is determined in concert with an
   associated SA attribute list.  A generic transform is currently
   undefined.

   All implementations within the IPSEC DOI MUST support ESP_DES along
   with the Auth(HMAC-MD5) attribute.  This suite is defined as the
   [DES] transform, with authentication and integrity provided by HMAC
   MD5.

4.4.4.3 ESP_3DES

   The ESP_3DES type specifies a generic triple-DES transform.  The
   actual protection suite is determined in concert with an associated
   SA attribute list.  The generic transform is currently undefined.

   All implementations within the IPSEC DOI are strongly encouraged to
   support ESP_3DES along with the Auth(HMAC-MD5) attribute.  This suite
   is defined as the [ESPCBC] transform, with authentication and
   integrity provided by HMAC MD5.

Follow-Ups:

Re: Last call and the DOI

From: "Derrell D. Piper" <ddp@network-alchemy.com>

Prev by Date: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by Date: Agenda for the LA wg meeting
Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Re: Last call and the DOI
Index(es):
- Main
- Thread