Re: [IPsec] Updated ESP/AH algorithm I-D

"David McGrew (mcgrew)" <mcgrew@cisco.com> Thu, 14 March 2013 19:41 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A9A11E81F4 for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 12:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I44gyDZ43UVK for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 12:41:32 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF6B11E8166 for <ipsec@ietf.org>; Thu, 14 Mar 2013 12:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1188; q=dns/txt; s=iport; t=1363290092; x=1364499692; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=i+c8pbya40rZyOoA1R3g4tHW5r6WxRMpidFUEdYNq9s=; b=Yd4kLteOFZr9RMR3hI2ng0zZ1MwLyXZDiKsFwgzPyutazFLHdeHHvHgA cUZylnD3HNNO3u/6WSM8RJzyZTMkjlg0m0XABh73rzsSvgwmzfyRbH0eO axCxuAvNyT4rCxSE3saIFebp7mLNypXbCxtf0bkw7HhQPaexMdB4qp5T0 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EABonQlGtJV2a/2dsb2JhbABDxQKBZRZ0gi0BBAEBATc0HQEIIhQ3CyUCBAESCIgMDMFhBI5lOIJfYQOnWoMKgig
X-IronPort-AV: E=Sophos;i="4.84,846,1355097600"; d="scan'208";a="187632846"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP; 14 Mar 2013 19:41:31 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2EJfUBi017438 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Mar 2013 19:41:30 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 14:41:30 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "Frankel, Sheila E." <sheila.frankel@nist.gov>, IPsecme WG <ipsec@ietf.org>
Thread-Topic: [IPsec] Updated ESP/AH algorithm I-D
Thread-Index: AQHOHypcm7BoNqYzAkOdJwnzwDYHfJilqkMA
Date: Thu, 14 Mar 2013 19:41:29 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EA09B@xmb-rcd-x04.cisco.com>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930BFB6145E1@MBCLUSTER.xchange.nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D31B3B7C6BBEF443A0C3E350159D07B0@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:41:33 -0000

Hi Sheila,

Thanks for pointing this out.   I agree that the draft needs to be changed
to align with the ESP RFC.

David

On 3/12/13 10:01 AM, "Frankel, Sheila E." <sheila.frankel@nist.gov> wrote:

>Hi David and Wajdi,
>
>Your updated ESP/AH algorithm doc looks great, and is very much needed. I
>just have one comment. You speak of the 2 services provided by ESP and AH
>as confidentiality and "data origin authentication." As I'm sure you
>know, authentication is used in different ways by different communities.
>I believe that in most of the IPsec docs the 1st service is referred to
>interchangeably as encryption and confidentiality; the 2nd service is
>interchangeably referred to as authentication and integrity protection.
>However, in RFC 4303 (ESP) it states: "Data origin authentication and
>connectionless integrity are joint services, hereafter referred to
>jointly as "integrity"." In your doc, the integrity-protection aspect is
>not mentioned at all, and I believe that is a critical oversight.
>
>Sheila Frankel
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec