Re: linux-ipsec: broken for a few days...

Come on folks, not yet another US government conspiracy theory in the making!

ESP-NULL was initially requested by a particular vendor which wanted to use IPsec authentication services on non-IP networks and had other proposed uses for an authentication algorithm that ignores the IP header. The idea was presented at the March 1998 Raleigh IPsec Interop. and drafted shortly afterward. No one in the IETF IPsec WG publicly objected.

Because of the controversy with AH, and the fact that ESP_NULL + <your favorite IPsec authentication algorithm> is, as far as we know at this time, equally as strong as AH with <same algorithm>, it was decided to make ESP_NULL a "mandatory to implement" algorithm (as specified in the DOI draft). I seriously doubt this will change.

As far as implementing ESP_NULL, just make sure that it MUST be used WITH one of the specified authentication algorithms. Hell, don't even call it ESP_NULL, call it ESP_Authentication, if that will eleviate some of the fear and paranoia.

As far as I know, NSA made no comments for or against and the US government only participated by letting me co-author a somewhat humorous draft with Steve Kent.

Rob G.
rob.glenn@nist.gov

>Date: Fri, 7 Aug 1998 04:05:42 GMT
>From: John Gilmore <gnu@toad.com>
>
>> I have just implemented ESP-NULL-MD5-96 and am in the process of testing
Received on Fri Aug 7 09:04:10 1998

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek