[13681] in cryptography@c2.net mail archive
authentication and ESP
daemon@ATHENA.MIT.EDU (martin f krafft)
Thu Jun 19 13:55:37 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 19 Jun 2003 19:49:40 +0200
From: martin f krafft <madduck@madduck.net>
To: crypto list <cryptography@metzdowd.com>
Mail-Followup-To: crypto list <cryptography@metzdowd.com>
--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
As far as I can tell, IPsec's ESP has the functionality of
authentication and integrity built in:
RFC 2406:
2.7 Authentication Data
The Authentication Data is a variable-length field containing an
Integrity Check Value (ICV) computed over the ESP packet minus
the Authentication Data. The length of the field is specified by
the authentication function selected. The Authentication Data
field is optional, and is included only if the authentication
service has been selected for the SA in question. The
authentication algorithm specification MUST specify the length of
the ICV and the comparison rules and processing steps for
validation.
To my knowledge, IPsec implementations use AH for "signing" though.
Why do we need AH, or why is it preferred?
Thanks for your clarification!
--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
invalid PGP subkeys? use subkeys.pgp.net as keyserver!
=20
XP is NT with eXtra Problems.
--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+8fe0IgvIgzMMSnURAjp9AJ9kTGxXTfiDoYzE6Mb+K2NFvV1rRQCg4q5i
tepcAJXVqiRYkC90GLtAsSQ=
=ugmp
-----END PGP SIGNATURE-----
--mP3DRpeJDSE+ciuQ--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
