[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?



Paul,

>  >>>>> "Bob" == Bob Doud <bdoud@ire-ma.com> writes:
>
>  Bob> Of course, one argument for ESP, Null Auth is when you are
>  Bob> bundling it with AH.  That way, you pick up the authentication
>  Bob> of the outer IP header, without duplicating the ICV's twice.
>
>Yes, but AH is so much more trouble than ESP authentication.
>In particular, it takes two passes to use AH if you also use
>compression (IPCOMP).
>
>Also, right now it is permitted to have just ESP (no AH) and yet no
>authentication.  I can see no reason why that should continue.

Suitable authentication may have been applied previously, e.g.,  via 
IPsec at an end system (vs. a gateway) or at a higher layer.

Steve



References: