On Mon, Dec 11, 2006 at 05:30:26PM -0500, Russ Housley wrote: > Nico: > > >Use of the NULL ESP algorithm implies no confidentiality protection, > >while use of the NULL AH algorithm implies no integrity protection > >(unless combined mode ESP algorithms are used). And in general we want > >IPsec used to provide integrity or confidentiality+integrity protection, > >but not really just confidentiality protection. > > I generally agree with your point. Integrity protection is > important, but I am not sure that this is the document to drive this > point. We have seen NULL encryption and NULL integrity algorithms > are very useful for debugging. Right. I am not suggesting a change of policy here, but rather an explanation for the MUST NOT use NULL ESP and NULL AH together. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf