[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NULL_ESP; why at all does it exist?
At 12:42 AM 7/11/02 , venkat wrote:
>Hi Everbody,
>
>Could you answer these questions
>
>1. During ESP packet generation, can the encryption be done with DES_CBC or
>3DES_CBC and then provide authentication with NULL_ESP.
ESP_NULL does not provide authentication. You need an authentication
transform to do that.
>
>2. Is it required that we have to provide authentication with HMAC-MD5 or
>HMAC-SHA. i.e. ESP_AUTH part
Yes, it is (except for the minor point that you are not limited to those two
authentication transforms; you can use HMAC-RIPEMD or some other ESP
authentication transform).
>
>3. Can NULL_ESP be used for providing authenticatoin at all, because I read
>somewhere that NULL_ESP can be used for this purpose.
It's provided because sometimes you really do want authentication but not
privacy, and ESP is defined to include an "encryption" transform. Hence, a
NULL "encryption" transform that does not provide privacy. Note that AH
alone will also provide this, but there are cases where AH cannot be used.
>
>4. Is NULL_ESP a void Transform, i.e. it doesn't do anything at all.
Well, it's the identity function. See RFC2410 for all the fun details.
>
>5. To provide authentication only in ESP, can we use Enc-> NULL_ESP and then
>Auth-> HMAC-MD5/SHA
Yes, that is allowed.
>
>Awaiting replies
>- Venkat
>
>--------------------------------------------------------------
>Dexcel Electronics Designs (P) Ltd., Bangalore, India
>