IPSec Questions

Robert Moskowitz rgm at icsa.net
Tue Aug 17 20:51:54 EDT 1999


At 01:22 PM 8/11/1999 -0500, Rick Smith wrote:
>
>You can minimize packet size inflation by using the combined transforms, of
>course, but you still have to pay the computational overhead.

Um, this text SEEMs to imply that ESP CAN be done with out authentication.
If you read the RFCs, you will see that the INTENT is that ENCRYPTION IS
NEVER USED WITHOUT AUTHENTICATION.

Dr. Orman was aghast that this was allowed in RFCs 1825-9 (she seems to
know of attacks much worst than Dr. Bellovin's documented one).

Dr. Kent allowed for ESP with encryption and without authentication only
for the case where ESP is inside of AH (this is to provide header
protection and encryption).

Any implementation that allows for ESP encryption without authentication
without enforcing AH should have warning labels on it.  IMHBO

If you question this, talk to me offline.  Just as a point; I AM the
co-chair and delt with these issues.  If you want textual changes in the
RFCs to clarify this, talk to me now. Ted and I a reving all of the docs
for DC.

Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list