Mandatory Algorithms for ESP?

[Charles Kunzinger <kunzinge@us.ibm.com>]

In reviewing the recent drafts, I found a discrepancy in the
mandatory-to-support algorithms (transforms) between
  "Domain of Interpetation" (....doi-08.txt) and "ESP" (...esp-v2.04.txt).  In
the ESP draft, it states in Section 5 that  a
compliant ESP implementation MUST support DES in CBC Mode, HMAC with MD5, HMAC
with SHA-1, NULL
encryption, and NULL authentication.  But in the DOI draft, section 4.4.4, the
only mandatory-to-support transforms
are NULL encryption and DES with HMAC_MD5.

I'm guessing that the information in the DOI draft is valid, and that the ESP
draft should be clarified to be consistent.
If ESP were the controlling draft, there would be 5 mandatory-to-implement
algorithms: ESP(DES-CBC, HMAC-MD5),
 ESP(DES-CBC, HMAC-SHA), ESP(DES-CBC, NULL),  ESP(NULL, HMAC-MD5), and
ESP(NULL, HMAC-SHA).
This seems excessive, to say the least.

However, in the DOI, we should probably also specify a mandatory-to-implement
authentication attribute for use
with NULL encryption, since ESP(NULL, NULL) is an illegal case.

To net it out, I'm working on the assumption that the mandatory-to-implement
algorithms (transforms?) for use in ESP are:
a) ESP(DES-CBC, HMAC-MD5) and b) ESP(NULL, HMAC-MD5).   Is this correct?

Also, do the terms "algorithm" and "transform" mean the same thing, or is there
some subtle difference that I need to be aware of?


Thanks,
Charlie

____________________________
Charles A Kunzinger (kunzinge@us.ibm.com)
TCP/IP Technology Management, JDGA/501, RTP
Phone: Tieline 8-444-4142 ,  External 1-919-254-4142
Fax: Tieline 8-444-6243,  External 1-919-254-6243
VM:  IBMUSM27(KUNZINGE)