Re: NULL_ESP; why at all does it exist?

[Scott Fluhrer <sfluhrer@cisco.com>]

At 12:42 AM 7/11/02 , venkat wrote:
>Hi Everbody,
>
>Could you answer these questions
>
>1. During ESP packet generation, can the encryption be done with DES_CBC or 
>3DES_CBC and then provide authentication with NULL_ESP.
ESP_NULL does not provide authentication.  You need an authentication
transform to do that.  

>
>2. Is it required that we have to provide authentication with HMAC-MD5 or 
>HMAC-SHA. i.e. ESP_AUTH part
Yes, it is (except for the minor point that you are not limited to those two
authentication transforms; you can use HMAC-RIPEMD or some other ESP
authentication transform).

>
>3. Can NULL_ESP be used for providing authenticatoin at all, because I read 
>somewhere that NULL_ESP can be used for this purpose.
It's provided because sometimes you really do want authentication but not
privacy, and ESP is defined to include an "encryption" transform.  Hence, a
NULL "encryption" transform that does not provide privacy.  Note that AH
alone will also provide this, but there are cases where AH cannot be used.

>
>4. Is NULL_ESP a void Transform, i.e. it doesn't do anything at all.
Well, it's the identity function.  See RFC2410 for all the fun details.

>
>5. To provide authentication only in ESP, can we use Enc-> NULL_ESP and then
>Auth-> HMAC-MD5/SHA
Yes, that is allowed.

>
>Awaiting replies
>- Venkat
>
>--------------------------------------------------------------
>Dexcel Electronics Designs (P) Ltd., Bangalore, India
>