> Will H. Backman writes: > > According to http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html, > > there are some problems with certain IPSec configurations. > > RFC 2406 which describes ESP says in the introduction :- > > ESP is used to provide confidentiality, data origin authentication, > connectionless integrity, an anti-replay service (a form of partial > sequence integrity), and limited traffic flow confidentiality. ... > Confidentiality may be selected independent of all other services. > However, use of confidentiality without integrity/authentication > (either in ESP or separately in AH) may undermine the > confidentiality service (see [Bel96]). > > That last sentence is there for a reason. > > > Looks like you always need to use the -auth flag with the -enc flag with > > ipsecadm when setting up esp. > > > > Should the man pages include these warnings? > > See the bottom of the ipsec(4) manual page :- > > There's a lot more to be said on this subject. This is just a beginning. > > In the meantime the default isakmpd/vpn configuration sets up ESP with > SHA for authentication and the examples in the ipsecadm page use > encryption with authentication. So, a user has to deviate from the > defaults to be vulnerable to the aformentioned problem when using > IPsec under OpenBSD.
I agree completely. This is the reason AH was there all along, and then in later IPSEC, integrated even more tightly into ESP. NISCC is just blowing up this to get more funding, I think. Perhaps for the same reason why they attempt to give themselves credit for other people's research (on other things they have recently published).
