Re: [IPsec] Updated ESP/AH algorithm I-D

Stephen Kent <> Tue, 12 March 2013 15:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5796921F83E1 for <>; Tue, 12 Mar 2013 08:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rVE5o5zHxzDM for <>; Tue, 12 Mar 2013 08:09:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1CE5B21F89FB for <>; Tue, 12 Mar 2013 08:09:13 -0700 (PDT)
Received: from ([]:36011 by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1UFQpD-0005Cc-HD; Tue, 12 Mar 2013 11:09:11 -0400
Message-ID: <>
Date: Tue, 12 Mar 2013 11:09:10 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2013 15:09:14 -0000


I did a quick check of 4301, and it uses the term "confidentiality" 
consistently when referring to the service, and uses "encryption" to 
refer to the mechanism. They are not used interchangeably.
The same seems to apply to use of terminology re data origin 
authentication, integrity, etc.


On 3/12/13 10:01 AM, Frankel, Sheila E. wrote:
> Hi David and Wajdi,
> Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and "data origin authentication." As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: "Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as "integrity"." In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight.
> Sheila Frankel
> _______________________________________________
> IPsec mailing list