Re: [secdir] Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Monday, December 11, 2006 04:34:54 PM -0600 Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:

On Mon, Dec 11, 2006 at 05:30:26PM -0500, Russ Housley wrote:
Nico:

> Use of the NULL ESP algorithm implies no confidentiality protection,
> while use of the NULL AH algorithm implies no integrity protection
> (unless combined mode ESP algorithms are used).  And in general we want
> IPsec used to provide integrity or confidentiality+integrity
> protection, but not really just confidentiality protection.

I generally agree with your point.  Integrity protection is
important, but I am not sure that this is the document to drive this
point.  We have seen NULL encryption and NULL integrity algorithms
are very useful for debugging.

Right.  I am not suggesting a change of policy here, but rather an
explanation for the MUST NOT use NULL ESP and NULL AH together.

So, "MUST is for implementors". It's about requirements on the implementation, not on how it is used. If you say that the NULL algorithms "MUST NOT be used", you are requiring the implementation not to permit their use under any circumstances. That seems excessively strong.

I agree with Russ - while deploying the NULL algorithms in production would be silly, having them for debugging can be terribly useful.

-- Jeff

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]