[13685] in cryptography@c2.net mail archive
Re: authentication and ESP
daemon@ATHENA.MIT.EDU (Derek Atkins)
Sun Jun 22 14:59:24 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: martin f krafft <madduck@madduck.net>
Cc: crypto list <cryptography@metzdowd.com>
From: Derek Atkins <derek@ihtfp.com>
Date: 22 Jun 2003 13:33:00 -0400
In-Reply-To: <20030619174940.GA18220@diamond.madduck.net>
you really don't want to open this can of worms.... I suggest you
go read the archives of the IPsec mailing list over the last 9
years. That should give you some clue into the depth of the
can you plan to open...
-derek
martin f krafft <madduck@madduck.net> writes:
> As far as I can tell, IPsec's ESP has the functionality of
> authentication and integrity built in:
>
> RFC 2406:
>
> 2.7 Authentication Data
>
> The Authentication Data is a variable-length field containing an
> Integrity Check Value (ICV) computed over the ESP packet minus
> the Authentication Data. The length of the field is specified by
> the authentication function selected. The Authentication Data
> field is optional, and is included only if the authentication
> service has been selected for the SA in question. The
> authentication algorithm specification MUST specify the length of
> the ICV and the comparison rules and processing steps for
> validation.
>
> To my knowledge, IPsec implementations use AH for "signing" though.
> Why do we need AH, or why is it preferred?
>
> Thanks for your clarification!
>
> --
> martin; (greetings from the heart of the sun.)
> \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
>
> invalid PGP subkeys? use subkeys.pgp.net as keyserver!
>
> XP is NT with eXtra Problems.
--
Derek Atkins
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
