Phil, The issue is not that ESP needs a NULL cipher. It's that AH wouldn't traverse NAT, and so they needed ESP to do the work that AH was designed to do.
But beyond that little technicality, it stands out that they standardized AH at all. So they felt that there was a need for integrity-only IPsec. I guess part of this is that the perceived threats were different - there was less personal information on the Internet, and IPsec (unlike TLS) is much concerned with protecting non-confidential stuff like DNS, routing protocols. Today, about the only good use case I can think of that doesn't ever need confidentiality is NTP, and I don't know why we would want to design a protocol specifically for securing NTP. Another part is that this was 1996 and in 1996 you had the "Pentium Pro" with a 150 MHz clock and a 60 MHz bus, which could probably do a few Mbps of 3DES+HMAC-MD5, or four times that with HMAC-MD5 alone. These are not today's processors that do 4 Gbps per core with AES-GCM. BTW: this is not unique to IPsec. TLS also defines some NULL encryption ciphersuites. Yoav ================================== From: perpass [mailto:[email protected]] On Behalf Of Phillip Hallam-Baker Sent: Monday, December 09, 2013 7:46 AM To: Merike Kaeo Cc: perpass; Hannes Tschofenig; Nicholas Weaver; Stephen Farrell Subject: Re: [perpass] NULL Cipher RFC 2410 to HISTORIC ??? On Mon, Dec 9, 2013 at 12:11 AM, Merike Kaeo <[email protected]> wrote: And so I reply to myself but got curious and wanted evidence. I found first references of AH/ESP and NULL in 1996 June IPsec archives. http://www.sandelman.ottawa.on.ca/ipsec/1996/06/msg00030.html And while some interesting tidbits, the joggle for my memory banks was that there was a bunch of discussion on where AH would be used with ESP and whether ESP only would also be relevant. And while I couldn't find exact reference to the March 1998 interop testing in North Carolina that showed issues with AH not traversing NATs I am fairly certain that was the case and why in practice people starting using ESP-Null. (it wasn't in the notes for the follow-up IETF IPsec meeting). Someone else from that time may also be able to chime in. The wording of the RFC does not help. It suggests that the cipher is something of a joke and it states the original requirement came out of a meeting for interop testing. I am not sure that authentication only VPN is something that we would see the need for these days. If the base protocol still doesn't do NAT right without a NULL cipher then it is broken. -- Website: http://hallambaker.com/ _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
