[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Paul,
> >>>>> "Bob" == Bob Doud <bdoud@ire-ma.com> writes:
>
> Bob> Of course, one argument for ESP, Null Auth is when you are
> Bob> bundling it with AH. That way, you pick up the authentication
> Bob> of the outer IP header, without duplicating the ICV's twice.
>
>Yes, but AH is so much more trouble than ESP authentication.
>In particular, it takes two passes to use AH if you also use
>compression (IPCOMP).
>
>Also, right now it is permitted to have just ESP (no AH) and yet no
>authentication. I can see no reason why that should continue.
Suitable authentication may have been applied previously, e.g., via
IPsec at an end system (vs. a gateway) or at a higher layer.
Steve
References: