AH/ESP drafts
Karen Seo <kseo@bbn.com> Fri, 13 March 1998 17:15 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA10499 for ipsec-outgoing; Fri, 13 Mar 1998 12:15:06 -0500 (EST)
Message-Id: <199803131729.MAA06106@relay.rv.tis.com>
Date: Fri, 13 Mar 1998 12:25:12 -0500
From: Karen Seo <kseo@bbn.com>
To: ipsec@tis.com
cc: kseo@bbn.com
Subject: AH/ESP drafts
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Folks, Here is a summary of the changes we've made to the IPsec AH and ESP drafts. Please accept our apologies if we've missed any comments/corrections. At the request of the WG Chairs, we are sending the draft to both the IETF secretariat and directly to the mailing list (to minimize delays.) This latest versions are: draft-ietf-ipsec-esp-v2-04.txt draft-ietf-ipsec-auth-header-05.txt Thank you, Karen =========================================================================== AH Changes Section 3.3.3 Integrity Check Value Calculation -- P. Goli Changed to be consistent with Section 3.3.3.2.1 in saying that the padding is included in the ICV calculation: The AH ICV is computed over: o IP header fields that are either immutable in transit or that are predictable in value upon arrival at the endpoint for the AH SA o the AH header (Next Header, Payload Len, Reserved, SPI, Sequence Number, and the Authentication Data (which is set to zero for this computation)) o the upper level protocol data, which is assumed to be immutable in transit to: The AH ICV is computed over: o IP header fields that are either immutable in transit or that are predictable in value upon arrival at the endpoint for the AH SA o the AH header (Next Header, Payload Len, Reserved, SPI, Sequence Number, and the Authentication Data (which is set to zero for this computation), and explicit padding bytes (if any)) o the upper level protocol data, which is assumed to be immutable in transit =========================================================================== ESP Changes 1. Typos/Clarifications -- per J. Daily Section 3.4.1 Reassembly Added "received" after the words "date/time" in the list of items to log for an auditable event. Added "Sequence Number" to the list of items to log for an auditable event Section 3.4.2 Security Association Lookup Added "received" after the words "date/time" in the list of items to log for an auditable event. Added "Sequence Number" to the list of items to log for an auditable event Section 3.4.3 Sequence Number Verification Added "received" after the words "date/time" in the list of items to log for an auditable event. Section 3.4.4 Integrity Check Value Verification Added "Sequence Number" to the list of items to log for an auditable event 2. Modify to make ESP encryption optional -- per community and WG-chairs ------------------------------------------------------------------------ Section 1. Introduction Changed 3rd paragraph from: ESP is used to provide.... Data origin authentication and connectionless integrity are joint services (hereafter referred to jointly as "authentication) and are offered as an option in conjunction with confidentiality.... to: ESP is used to provide.... Data origin authentication and connectionless integrity are joint services (hereafter referred to jointly as "authentication) and are offered as an option in conjunction with (optional) confidentiality.... Note that although both confidentiality and authentication are optional, at least one of them MUST be selected. Section 3.2 Algorithms Added sentence to 1st paragraph Note that although both confidentiality and authentication are optional, at least one of these services MUST be selected hence both algorithms MUST NOT be simultaneously NULL. Section 3.3.2 Packet Encryption Changed leadin sentence from: The sender: 1. encapsulates.... 2. adds... 3. encrypts... to If confidentiality is selected, then the sender: 1. encapsulates.... 2. adds... 3. encrypts... Section 3.4.5 Packet Decryption Changed leadin sentence from: The receiver: 1. decrypts.... to If confidentiality has been selected, then the receiver: 1. decrypts.... Section 5. Conformance Requirements Changed list of algorithms from: - DES in CBC mode [MD97] - HMAC with MD5 [MG97a] - HMAC with SHA-1 [MG97b] to: - DES in CBC mode [MD97] - HMAC with MD5 [MG97a] - HMAC with SHA-1 [MG97b] - NULL Authentication algorithm - NULL Encryption algorithm Added the text: Since ESP encryption and authentication are optional, support for the 2 "NULL" algorithms is required to maintain consistency with the way these services are negotiated. NOTE that while authentication and encryption can each be "NULL", they MUST NOT both be "NULL".
- AH/ESP drafts Karen Seo
- Re: AH/ESP drafts Lewis McCarthy