Re: NULL_ESP; why at all does it exist?
Scott Fluhrer <sfluhrer@cisco.com> Thu, 11 July 2002 17:13 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g6BHDww09072; Thu, 11 Jul 2002 10:13:58 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA22389 Thu, 11 Jul 2002 12:23:31 -0400 (EDT)
Message-Id: <200207111638.AFJ97314@mira-sjcm-3.cisco.com>
X-Sender: sfluhrer@mira-sjcm-3
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.2
Date: Thu, 11 Jul 2002 09:23:41 -0700
To: venkat@dexceldesigns.com, ipsec@lists.tislabs.com
From: Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: NULL_ESP; why at all does it exist?
In-Reply-To: <200207111302.g6BD28T23011@mail.deldsl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
At 12:42 AM 7/11/02 , venkat wrote: >Hi Everbody, > >Could you answer these questions > >1. During ESP packet generation, can the encryption be done with DES_CBC or >3DES_CBC and then provide authentication with NULL_ESP. ESP_NULL does not provide authentication. You need an authentication transform to do that. > >2. Is it required that we have to provide authentication with HMAC-MD5 or >HMAC-SHA. i.e. ESP_AUTH part Yes, it is (except for the minor point that you are not limited to those two authentication transforms; you can use HMAC-RIPEMD or some other ESP authentication transform). > >3. Can NULL_ESP be used for providing authenticatoin at all, because I read >somewhere that NULL_ESP can be used for this purpose. It's provided because sometimes you really do want authentication but not privacy, and ESP is defined to include an "encryption" transform. Hence, a NULL "encryption" transform that does not provide privacy. Note that AH alone will also provide this, but there are cases where AH cannot be used. > >4. Is NULL_ESP a void Transform, i.e. it doesn't do anything at all. Well, it's the identity function. See RFC2410 for all the fun details. > >5. To provide authentication only in ESP, can we use Enc-> NULL_ESP and then >Auth-> HMAC-MD5/SHA Yes, that is allowed. > >Awaiting replies >- Venkat > >-------------------------------------------------------------- >Dexcel Electronics Designs (P) Ltd., Bangalore, India >
- NULL_ESP; why at all does it exist? venkat
- Re: NULL_ESP; why at all does it exist? Scott Fluhrer