Re: [IPsec] Updated ESP/AH algorithm I-D

"David McGrew (mcgrew)" <> Thu, 14 March 2013 19:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49A9A11E81F4 for <>; Thu, 14 Mar 2013 12:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I44gyDZ43UVK for <>; Thu, 14 Mar 2013 12:41:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8FF6B11E8166 for <>; Thu, 14 Mar 2013 12:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1188; q=dns/txt; s=iport; t=1363290092; x=1364499692; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=i+c8pbya40rZyOoA1R3g4tHW5r6WxRMpidFUEdYNq9s=; b=Yd4kLteOFZr9RMR3hI2ng0zZ1MwLyXZDiKsFwgzPyutazFLHdeHHvHgA cUZylnD3HNNO3u/6WSM8RJzyZTMkjlg0m0XABh73rzsSvgwmzfyRbH0eO axCxuAvNyT4rCxSE3saIFebp7mLNypXbCxtf0bkw7HhQPaexMdB4qp5T0 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.84,846,1355097600"; d="scan'208";a="187632846"
Received: from ([]) by with ESMTP; 14 Mar 2013 19:41:31 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r2EJfUBi017438 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Mar 2013 19:41:30 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 14:41:30 -0500
From: "David McGrew (mcgrew)" <>
To: "Frankel, Sheila E." <>, IPsecme WG <>
Thread-Topic: [IPsec] Updated ESP/AH algorithm I-D
Thread-Index: AQHOHypcm7BoNqYzAkOdJwnzwDYHfJilqkMA
Date: Thu, 14 Mar 2013 19:41:29 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Mar 2013 19:41:33 -0000

Hi Sheila,

Thanks for pointing this out.   I agree that the draft needs to be changed
to align with the ESP RFC.


On 3/12/13 10:01 AM, "Frankel, Sheila E." <> wrote:

>Hi David and Wajdi,
>Your updated ESP/AH algorithm doc looks great, and is very much needed. I
>just have one comment. You speak of the 2 services provided by ESP and AH
>as confidentiality and "data origin authentication." As I'm sure you
>know, authentication is used in different ways by different communities.
>I believe that in most of the IPsec docs the 1st service is referred to
>interchangeably as encryption and confidentiality; the 2nd service is
>interchangeably referred to as authentication and integrity protection.
>However, in RFC 4303 (ESP) it states: "Data origin authentication and
>connectionless integrity are joint services, hereafter referred to
>jointly as "integrity"." In your doc, the integrity-protection aspect is
>not mentioned at all, and I believe that is a critical oversight.
>Sheila Frankel
>IPsec mailing list