authentication and ESP
martin f krafft
madduck at madduck.net
Thu Jun 19 13:49:40 EDT 2003
As far as I can tell, IPsec's ESP has the functionality of
authentication and integrity built in:
RFC 2406:
2.7 Authentication Data
The Authentication Data is a variable-length field containing an
Integrity Check Value (ICV) computed over the ESP packet minus
the Authentication Data. The length of the field is specified by
the authentication function selected. The Authentication Data
field is optional, and is included only if the authentication
service has been selected for the SA in question. The
authentication algorithm specification MUST specify the length of
the ICV and the comparison rules and processing steps for
validation.
To my knowledge, IPsec implementations use AH for "signing" though.
Why do we need AH, or why is it preferred?
Thanks for your clarification!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck
invalid PGP subkeys? use subkeys.pgp.net as keyserver!
XP is NT with eXtra Problems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030619/0aad50fe/attachment.pgp>
More information about the cryptography
mailing list