Re: [IPsec] Updated ESP/AH algorithm I-D
"Frankel, Sheila E." <sheila.frankel@nist.gov> Tue, 12 March 2013 16:57 UTC
Return-Path: <sheila.frankel@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D3311E80D1 for <ipsec@ietfa.amsl.com>; Tue, 12 Mar 2013 09:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BSO0oDZ7SO5 for <ipsec@ietfa.amsl.com>; Tue, 12 Mar 2013 09:57:44 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 2969E11E80D9 for <ipsec@ietf.org>; Tue, 12 Mar 2013 09:57:42 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 12 Mar 2013 12:58:03 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Tue, 12 Mar 2013 12:57:39 -0400
From: "Frankel, Sheila E." <sheila.frankel@nist.gov>
To: Stephen Kent <kent@bbn.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Tue, 12 Mar 2013 12:56:04 -0400
Thread-Topic: [IPsec] Updated ESP/AH algorithm I-D
Thread-Index: Ac4fM49f6VjiGP1nRiatud2VRkGpowADuwr6
Message-ID: <D7A0423E5E193F40BE6E94126930C4930BFB6145E5@MBCLUSTER.xchange.nist.gov>
References: <D7A0423E5E193F40BE6E94126930C4930BFB6145E1@MBCLUSTER.xchange.nist.gov>, <513F4516.8080905@bbn.com>
In-Reply-To: <513F4516.8080905@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [IPsec] Updated ESP/AH algorithm I-D
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 16:57:47 -0000
X-List-Received-Date: Tue, 12 Mar 2013 16:57:47 -0000
Steve, Perhaps I wasn't clear in the main thrust of my message. I'm not quibbling about terminology; I'm concerned that the I-D is lacking some vital information. The I-D discusses 2 services provided by ESP and AH: confidentiality and data origin authentication. My point was that the 2nd service includes connectionless integrity protection as well - which is not identical to data origin authentication - and therefore integrity protection should be mentioned in the I-D. Sheila ________________________________________ From: Stephen Kent [kent@bbn.com] Sent: Tuesday, March 12, 2013 11:09 AM To: ipsec@ietf.org; Frankel, Sheila E. Subject: Re: [IPsec] Updated ESP/AH algorithm I-D Sheila, I did a quick check of 4301, and it uses the term "confidentiality" consistently when referring to the service, and uses "encryption" to refer to the mechanism. They are not used interchangeably. The same seems to apply to use of terminology re data origin authentication, integrity, etc. Steve On 3/12/13 10:01 AM, Frankel, Sheila E. wrote: > Hi David and Wajdi, > > Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and "data origin authentication." As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: "Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as "integrity"." In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight. > > Sheila Frankel
- [IPsec] Updated ESP/AH algorithm I-D Frankel, Sheila E.
- Re: [IPsec] Updated ESP/AH algorithm I-D Stephen Kent
- Re: [IPsec] Updated ESP/AH algorithm I-D Frankel, Sheila E.
- Re: [IPsec] Updated ESP/AH algorithm I-D Stephen Kent
- Re: [IPsec] Updated ESP/AH algorithm I-D Frankel, Sheila E.
- Re: [IPsec] Updated ESP/AH algorithm I-D David McGrew (mcgrew)