ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [secdir] Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt

2006-12-12 16:12:54
from [Nicolas Williams] [Permanent Link] 
On Mon, Dec 11, 2006 at 05:50:20PM -0500, Jeffrey Hutzelman wrote:

On Monday, December 11, 2006 04:34:54 PM -0600 Nicolas Williams 
<Nicolas(_dot_)Williams(_at_)sun(_dot_)com> wrote:

Right.  I am not suggesting a change of policy here, but rather an
explanation for the MUST NOT use NULL ESP and NULL AH together.


So, "MUST is for implementors".  It's about requirements on the 
implementation, not on how it is used.  If you say that the NULL algorithms 
"MUST NOT be used", you are requiring the implementation not to permit 
their use under any circumstances.  That seems excessively strong.

I agree with Russ - while deploying the NULL algorithms in production would 
be silly, having them for debugging can be terribly useful.


The RFC and I-D say:

|   (1) Since ESP encryption is optional, support for the "NULL"
|       algorithm is required to maintain consistency with the way
|       services are negotiated. Note that while authentication
|       and encryption can each be "NULL", they MUST NOT both be
|       "NULL".

Is this for implementors?  Doesn't this conflict with Russ' point about
debugging?  I suspect that the "MUST NOT" I quote above should really be
a lower-case "must not" or "should not, except for debugging, "...

Anyways, the rationale for downgrading NULL AH from MUST implement to
MAY implement should be given.  It's quite simple, I'm sure:

   The NULL AH algorithm has been downgraded to "MAY implement" because
   integrity protection should always be used where IPsec is used.  Thus
   an AH algorithm that does not, in fact, provide integrity protection,
   is not useful (except for debugging purposes), and is not needed for
   interoperability.

Finally, a bit of security considerations text:

   Except for debugging purposes, where IPsec is used it should be used
   to privde at least integrity protection.  Therefore the NULL AH
   algorithm is generally not useful, except for debugging.  Use of the
   NULL AH algorithm in conjunction with the NULL ESP algorithm results
   in no protection whatsoever, and so should be avoided except for
   debugging purposes.

Nico
-- 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt, Vishwas Manral
Next by Date:  Re: [secdir] Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt, Nicolas Williams
Previous by Thread:  Re: [secdir] Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt, Jeffrey Hutzelman
Next by Thread:  Re: [secdir] Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt, Nicolas Williams
Indexes:  [Date] [Thread] [Top] [All Lists]