Re: NULL_ESP; why at all does it exist?

Scott Fluhrer <sfluhrer@cisco.com> Thu, 11 July 2002 17:13 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g6BHDww09072; Thu, 11 Jul 2002 10:13:58 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA22389 Thu, 11 Jul 2002 12:23:31 -0400 (EDT)
Message-Id: <200207111638.AFJ97314@mira-sjcm-3.cisco.com>
X-Sender: sfluhrer@mira-sjcm-3
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.2
Date: Thu, 11 Jul 2002 09:23:41 -0700
To: venkat@dexceldesigns.com, ipsec@lists.tislabs.com
From: Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: NULL_ESP; why at all does it exist?
In-Reply-To: <200207111302.g6BD28T23011@mail.deldsl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

At 12:42 AM 7/11/02 , venkat wrote:
>Hi Everbody,
>
>Could you answer these questions
>
>1. During ESP packet generation, can the encryption be done with DES_CBC or 
>3DES_CBC and then provide authentication with NULL_ESP.
ESP_NULL does not provide authentication.  You need an authentication
transform to do that.  

>
>2. Is it required that we have to provide authentication with HMAC-MD5 or 
>HMAC-SHA. i.e. ESP_AUTH part
Yes, it is (except for the minor point that you are not limited to those two
authentication transforms; you can use HMAC-RIPEMD or some other ESP
authentication transform).

>
>3. Can NULL_ESP be used for providing authenticatoin at all, because I read 
>somewhere that NULL_ESP can be used for this purpose.
It's provided because sometimes you really do want authentication but not
privacy, and ESP is defined to include an "encryption" transform.  Hence, a
NULL "encryption" transform that does not provide privacy.  Note that AH
alone will also provide this, but there are cases where AH cannot be used.

>
>4. Is NULL_ESP a void Transform, i.e. it doesn't do anything at all.
Well, it's the identity function.  See RFC2410 for all the fun details.

>
>5. To provide authentication only in ESP, can we use Enc-> NULL_ESP and then
>Auth-> HMAC-MD5/SHA
Yes, that is allowed.

>
>Awaiting replies
>- Venkat
>
>--------------------------------------------------------------
>Dexcel Electronics Designs (P) Ltd., Bangalore, India
>