Re: [IPsec] Updated ESP/AH algorithm I-D
Hi Sheila, Thanks for pointing this out. I agree that the draft needs to be changed to align with the ESP RFC. David On 3/12/13 10:01 AM, Frankel, Sheila E. sheila.fran...@nist.gov wrote: Hi David and Wajdi, Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and data origin authentication. As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as integrity. In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight. Sheila Frankel ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Updated ESP/AH algorithm I-D
Sheila, I did a quick check of 4301, and it uses the term confidentiality consistently when referring to the service, and uses encryption to refer to the mechanism. They are not used interchangeably. The same seems to apply to use of terminology re data origin authentication, integrity, etc. Steve On 3/12/13 10:01 AM, Frankel, Sheila E. wrote: Hi David and Wajdi, Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and data origin authentication. As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as integrity. In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight. Sheila Frankel ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Updated ESP/AH algorithm I-D
Steve, Perhaps I wasn't clear in the main thrust of my message. I'm not quibbling about terminology; I'm concerned that the I-D is lacking some vital information. The I-D discusses 2 services provided by ESP and AH: confidentiality and data origin authentication. My point was that the 2nd service includes connectionless integrity protection as well - which is not identical to data origin authentication - and therefore integrity protection should be mentioned in the I-D. Sheila From: Stephen Kent [k...@bbn.com] Sent: Tuesday, March 12, 2013 11:09 AM To: ipsec@ietf.org; Frankel, Sheila E. Subject: Re: [IPsec] Updated ESP/AH algorithm I-D Sheila, I did a quick check of 4301, and it uses the term confidentiality consistently when referring to the service, and uses encryption to refer to the mechanism. They are not used interchangeably. The same seems to apply to use of terminology re data origin authentication, integrity, etc. Steve On 3/12/13 10:01 AM, Frankel, Sheila E. wrote: Hi David and Wajdi, Your updated ESP/AH algorithm doc looks great, and is very much needed. I just have one comment. You speak of the 2 services provided by ESP and AH as confidentiality and data origin authentication. As I'm sure you know, authentication is used in different ways by different communities. I believe that in most of the IPsec docs the 1st service is referred to interchangeably as encryption and confidentiality; the 2nd service is interchangeably referred to as authentication and integrity protection. However, in RFC 4303 (ESP) it states: Data origin authentication and connectionless integrity are joint services, hereafter referred to jointly as integrity. In your doc, the integrity-protection aspect is not mentioned at all, and I believe that is a critical oversight. Sheila Frankel ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Updated ESP/AH algorithm I-D
Steve, I certainly didn't intend any insults, and I wouldn't characterize the wording in the RFC's as sloppy. It's very common to use these terms somewhat interchangeably. Sorry if my wording could be construed as a criticism. That's the last thing I'd want, considering the tremendous amount of hard work that went into the RFCs. Regards, Sheila From: Stephen Kent [k...@bbn.com] Sent: Tuesday, March 12, 2013 1:05 PM To: ipsec@ietf.org; Frankel, Sheila E. Subject: Re: [IPsec] Updated ESP/AH algorithm I-D Sheila, I understood your point. I objected to your statement that other IPsec RFC were sloppy in the use of security service/mechanism terminology. Steve Steve, Perhaps I wasn't clear in the main thrust of my message. I'm not quibbling about terminology; I'm concerned that the I-D is lacking some vital information. The I-D discusses 2 services provided by ESP and AH: confidentiality and data origin authentication. My point was that the 2nd service includes connectionless integrity protection as well - which is not identical to data origin authentication - and therefore integrity protection should be mentioned in the I-D. Sheila ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec