authentication and ESP
Sandy Harris
sandy at storm.ca
Sun Jun 22 22:12:39 EDT 2003
John S. Denker wrote:
> On 06/19/2003 01:49 PM, martin f krafft wrote:
> > As far as I can tell, IPsec's ESP has the functionality of
> > authentication and integrity built in:
>
> It depends on what you mean by "built in".
> 1) The RFC provides for ESP+authentication but
> does not require ESP to use authentication.
> 2) Although the RFC allows ESP without
> authentication, typical implementations are
> less flexible. In FreeS/WAN for instance, if
> you ask for ESP will get ESP+AH.
>
> ESP without authentication may be vulnerable to
> replay attacks and/or active attacks that tamper
> with the bits in transit. The degree of vulnerability
> depends on details (type of chaining, higher-level
> properties of payload, ...).
There's some discussion and links in the FreeS/WAN
docs:
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/ipsec.html#encnoauth
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list