IETF Logo Mail Archive

Re: [perpass] NULL Cipher RFC 2410 to HISTORIC ???

Stephen Kent <kent@bbn.com> Mon, 09 December 2013 14:58 UTC

Return-Path: <kent@bbn.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFAD51AE305 for <perpass@ietfa.amsl.com>; Mon, 9 Dec 2013 06:58:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZdFCm7cqUYq for <perpass@ietfa.amsl.com>; Mon, 9 Dec 2013 06:58:41 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 99BC51AE2F5 for <perpass@ietf.org>; Mon, 9 Dec 2013 06:58:41 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:55971 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Vq2I8-00087X-G7 for perpass@ietf.org; Mon, 09 Dec 2013 09:58:36 -0500
Message-ID: <52A5DA9C.7010709@bbn.com>
Date: Mon, 09 Dec 2013 09:58:36 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: perpass@ietf.org
References: <CAMm+LwijWwanC+KLaSC-Kgq4vP=8in8Juo2Gbd=URh4zVf55nA@mail.gmail.com> <0FE7905C-950F-4030-8A47-37C523FB497A@doubleshotsecurity.com> <95276F1E-2293-41F3-A6E7-7AEF4B22E811@doubleshotsecurity.com>
In-Reply-To: <95276F1E-2293-41F3-A6E7-7AEF4B22E811@doubleshotsecurity.com>
Content-Type: multipart/alternative; boundary="------------090507050307090701080002"
Subject: Re: [perpass] NULL Cipher RFC 2410 to HISTORIC ???
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 14:58:44 -0000

Merike,
> And so I reply to myself but got curious and wanted evidence.  I found 
> first references of AH/ESP and NULL in 1996 June IPsec archives. 
> http://www.sandelman.ottawa.on.ca/ipsec/1996/06/msg00030.html
>
> And while  some interesting tidbits, the joggle for my memory banks 
> was that there was a bunch of discussion on where AH would be used 
> with ESP and whether ESP only would also be relevant.  And while I 
> couldn't find exact reference to the March 1998 interop testing in 
> North Carolina that showed issues with AH not traversing NATs I am 
> fairly certain that was the case and why in practice people starting 
> using ESP-Null.  (it wasn't in the notes for the follow-up IETF IPsec 
> meeting).
>
> Someone else from that time may also be able to chime in.
>
The very first IPsec designs called for use of AH plus ESP to offer 
authentication, integrity and confidentiality. That dual protocol use 
was a significant burden, so
ESP was extended to offer all three services, and AH remained as an 
auth/integ but no confid alternative, for various reasons.  (One reason, 
as you noted, was export controls on encryption.) Later we revised ESP 
to incorporate NULL encryption for the reasons I cited earlier; I forgot 
about the NAT problem.

Steve

v2.23.0 | Report a Bug | By Email