Re: Mandatory Algorithms for ESP?

"Derrell D. Piper" <ddp@network-alchemy.com> Thu, 19 March 1998 17:25 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA19305 for ipsec-outgoing; Thu, 19 Mar 1998 12:25:38 -0500 (EST)
Message-Id: <199803191739.MAA11553@relay.rv.tis.com>
To: Charles Kunzinger <kunzinge@us.ibm.com>
cc: ipsec@tis.com
Subject: Re: Mandatory Algorithms for ESP?
In-reply-to: Your message of "Thu, 19 Mar 1998 09:58:53 EST." <5040300013972416000002L062*@MHS>
Date: Thu, 19 Mar 1998 09:39:13 -0800
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Charles,

Actually, the DOI is in error here.  The text under the DOI ESP section dates
from before SHA-1 was a mandatory authentication algorithm.  Since the AH
section (correctly) mandates MD5 and SHA-1, the correct interpretation for ESP
should be that support for both MD5 and SHA-1 are MUST's.

In summary, the following combinations are required by the IPSEC DOI:

   AH(HMAC-MD5)
   AH(HMAC-SHA)

   ESP_NULL(HMAC-MD5)
   ESP_NULL(HMAC-SHA)
   ESP_DES(<no integrity>)
   ESP_DES(HMAC-MD5)
   ESP_DES(HMAC-SHA)

>Also, do the terms "algorithm" and "transform" mean the same thing, or is there
>some subtle difference that I need to be aware of?

"Algorithm" is more general than "transform," in the sense that DES is the
base cryptographic algorithm used by the ESP_DES transform.  In other words,
the ESP_DES transform describes how to apply the DES algorithm in the ESP
context.  The resulting method, including things like how to do padding and IV
generation, results in a defined transform.

Derrell

Mandatory Algorithms for ESP? Charles Kunzinger
Re: Mandatory Algorithms for ESP? C. Harald Koch
Re: Mandatory Algorithms for ESP? Stephen Kent
Re: Mandatory Algorithms for ESP? Derrell D. Piper