[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Of course, one argument for ESP, Null Auth is when you are
bundling it with AH. That way, you pick up the authentication
of the outer IP header, without duplicating the ICV's twice.
Bob
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
> Sent: Tuesday, March 07, 2000 10:56 AM
> To: CTrobridge@baltimore.com
> Cc: helger@cyber.ee; ipsec@lists.tislabs.com
> Subject: RE: Q: Why IPSEC to be used only in CBC mode & not other like
> CFB or OFB ?
>
>
> >>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
>
> Chris> It does reinforce the advantages of authentication in ESP. I
> Chris> don't know if I've come to the point of assuming ESP
> Chris> authentication is pretty much essential through this group or
> Chris> though discussions with customers, but what do others think?
>
> I've been convinced by Steve Bellovin's papers that it is essential.
> Unfortunately, we're not currently allowed to reject ESP with null
> authenticaton. As far as I'm concerned, that's a bug, but
> unfortunately some feel differently. We're definitely telling people
> in documentation not to skip authentication.
>
> Both in software and hardware, there is no performance justification
> for omitting authentication.
>
> paul
>
>
Follow-Ups:
References: