[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Last call and the DOI
Interestingly, ESP_DES or ESP_3DES with no auth attribute does not mean
the same as any of the other ESP_* without an auth attribute. Namely,
the following portions of DOI-08 prevent us from negotiating an DES or
3DES transform without authentication.
Perhaps this should be fixed?
4.4.4.2 ESP_DES
The ESP_DES type specifies a generic DES transform using DES-CBC.
The actual protection suite is determined in concert with an
associated SA attribute list. A generic transform is currently
undefined.
All implementations within the IPSEC DOI MUST support ESP_DES along
with the Auth(HMAC-MD5) attribute. This suite is defined as the
[DES] transform, with authentication and integrity provided by HMAC
MD5.
4.4.4.3 ESP_3DES
The ESP_3DES type specifies a generic triple-DES transform. The
actual protection suite is determined in concert with an associated
SA attribute list. The generic transform is currently undefined.
All implementations within the IPSEC DOI are strongly encouraged to
support ESP_3DES along with the Auth(HMAC-MD5) attribute. This suite
is defined as the [ESPCBC] transform, with authentication and
integrity provided by HMAC MD5.
Follow-Ups: