Re: ESP NULL was linux-ipsec: broken for a few days...

Niels,

At 02:33 AM 8/8/98 +0200, you wrote:
>This is a poor state of affairs. A single, yet unnamed, vendor

The initial proposal did not ask for mandatory status, that was added later. The reason for this is in Section 5 of the ESP draft. Keep in mind that all of these drafts passed IETF WG last call, and IESG last call. Objections & corrections were noted and made.

>AFAIK NAT has been given as the only 'sensible' reason for 'null esp' so

NAT will not work with ESP_NULL. There was a discussion on this a few months back on the IPsec mailing list. The gist is that part of the IP payload needs to be adjusted in transit and ESP_NULL authenticates the entire payload. This was one of the corrections made shortly after IETF last call.

On the assumption that ESP_Authentication-only is equally as strong as AH, ESP_NULL is a alot easier and hence faster to process. I haven't seen any proposed attacks that would invalidate the assumption.

>I wish it were that easy to make clearly necessary transforms like 3DES
http://www.physnet.uni-hamburg.de/provos/
> Jungiusstrasse 9 E-Mail: provos@wserver.physnet.uni-hamburg.de
Received on Sat Aug 8 00:01:39 1998

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek