[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
ESP with null auth + AH would be fine.
I'm not convinced about the merits of AH in any case. Given that ESP with
auth authenticates the SPI, sequence number & payload, it's not possible for
an attacker to spoof traffic through by altering the IP header. What does
AH achieve?
Chris
> -----Original Message-----
> From: Bob Doud [mailto:bdoud@ire-ma.com]
> Sent: 07 March 2000 16:31
> To: Paul Koning; CTrobridge@baltimore.com
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Q: Why IPSEC to be used only in CBC mode & not other like
> CFB or OFB ?
>
>
> Of course, one argument for ESP, Null Auth is when you are
> bundling it with AH. That way, you pick up the authentication
> of the outer IP header, without duplicating the ICV's twice.
>
> Bob
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
> > Sent: Tuesday, March 07, 2000 10:56 AM
> > To: CTrobridge@baltimore.com
> > Cc: helger@cyber.ee; ipsec@lists.tislabs.com
> > Subject: RE: Q: Why IPSEC to be used only in CBC mode & not
> other like
> > CFB or OFB ?
> >
> >
> > >>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
> >
> > Chris> It does reinforce the advantages of authentication
> in ESP. I
> > Chris> don't know if I've come to the point of assuming ESP
> > Chris> authentication is pretty much essential through
> this group or
> > Chris> though discussions with customers, but what do others think?
> >
> > I've been convinced by Steve Bellovin's papers that it is essential.
> > Unfortunately, we're not currently allowed to reject ESP with null
> > authenticaton. As far as I'm concerned, that's a bug, but
> > unfortunately some feel differently. We're definitely
> telling people
> > in documentation not to skip authentication.
> >
> > Both in software and hardware, there is no performance justification
> > for omitting authentication.
> >
> > paul
> >
> >
>