John S. Denker wrote:
On 06/19/2003 01:49 PM, martin f krafft wrote:
> As far as I can tell, IPsec's ESP has the functionality of
> authentication and integrity built in:
It depends on what you mean by "built in".
1) The RFC provides for ESP+authentication but
does not require ESP to use authentication.
2) Although the RFC allows ESP without
authentication, typical implementations are
less flexible. In FreeS/WAN for instance, if
you ask for ESP will get ESP+AH.
ESP without authentication may be vulnerable to
replay attacks and/or active attacks that tamper
with the bits in transit. The degree of vulnerability
depends on details (type of chaining, higher-level
properties of payload, ...).
There's some discussion and links in the FreeS/WAN
docs:
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/ipsec.html#encnoauth
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
