Re: [IPsec] Updated ESP/AH algorithm I-D

"Frankel, Sheila E." <> Tue, 12 March 2013 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64D3311E80D1 for <>; Tue, 12 Mar 2013 09:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3BSO0oDZ7SO5 for <>; Tue, 12 Mar 2013 09:57:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2969E11E80D9 for <>; Tue, 12 Mar 2013 09:57:42 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 12 Mar 2013 12:58:03 -0400
Received: from ([fe80::d479:3188:aec0:cb66]) by ([]) with mapi; Tue, 12 Mar 2013 12:57:39 -0400
From: "Frankel, Sheila E." <>
To: Stephen Kent <>, "" <>
Date: Tue, 12 Mar 2013 12:56:04 -0400
Thread-Topic: [IPsec] Updated ESP/AH algorithm I-D
Thread-Index: Ac4fM49f6VjiGP1nRiatud2VRkGpowADuwr6
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2013 16:57:47 -0000
X-List-Received-Date: Tue, 12 Mar 2013 16:57:47 -0000


Perhaps I wasn't clear in the main thrust of my message. I'm not quibbling about terminology; I'm concerned that the I-D is lacking some vital information. The I-D discusses 2 services provided by ESP and AH: confidentiality and data origin authentication. My point was that the 2nd service includes connectionless integrity protection as well - which is not identical to data origin authentication - and therefore integrity protection should be mentioned in the I-D.


From: Stephen Kent []
Sent: Tuesday, March 12, 2013 11:09 AM
To:; Frankel, Sheila E.
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D


I did a quick check of 4301, and it uses the term "confidentiality"
consistently when referring to the service, and uses "encryption" to
refer to the mechanism. They are not used interchangeably.
The same seems to apply to use of terminology re data origin
authentication, integrity, etc.


On 3/12/13 10:01 AM, Frankel, Sheila E. wrote:
> Hi David and Wajdi,
> Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and "data origin authentication." As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: "Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as "integrity"." In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight.
> Sheila Frankel