authentication and ESP
Derek Atkins
derek at ihtfp.com
Sun Jun 22 13:33:00 EDT 2003
you really don't want to open this can of worms.... I suggest you
go read the archives of the IPsec mailing list over the last 9
years. That should give you some clue into the depth of the
can you plan to open...
-derek
martin f krafft <madduck at madduck.net> writes:
> As far as I can tell, IPsec's ESP has the functionality of
> authentication and integrity built in:
>
> RFC 2406:
>
> 2.7 Authentication Data
>
> The Authentication Data is a variable-length field containing an
> Integrity Check Value (ICV) computed over the ESP packet minus
> the Authentication Data. The length of the field is specified by
> the authentication function selected. The Authentication Data
> field is optional, and is included only if the authentication
> service has been selected for the SA in question. The
> authentication algorithm specification MUST specify the length of
> the ICV and the comparison rules and processing steps for
> validation.
>
> To my knowledge, IPsec implementations use AH for "signing" though.
> Why do we need AH, or why is it preferred?
>
> Thanks for your clarification!
>
> --
> martin; (greetings from the heart of the sun.)
> \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck
>
> invalid PGP subkeys? use subkeys.pgp.net as keyserver!
>
> XP is NT with eXtra Problems.
--
Derek Atkins
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list