RFC Errata
RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005
Source of RFC: ipsec (sec)
Errata ID: 3876
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Yaron Sheffer
Date Reported: 2014-01-31
Held for Document Update by: Stephen Farrell
Date Held: 2014-05-08
Section Introduction says:
Using encryption-only for confidentiality is allowed by ESP. However, it should be noted that in general, this will provide defense only against passive attackers. Using encryption without a strong integrity mechanism on top of it (either in ESP or separately via AH) may render the confidentiality service insecure against some forms of active attacks [Bel96, Kra01]. Moreover, an underlying integrity service, such as AH, applied before encryption does not necessarily protect the encryption-only confidentiality against active attackers [Kra01]. ESP allows encryption-only SAs because this may offer considerably better performance and still provide adequate security, e.g., when higher-layer authentication/integrity protection is offered independently. However, this standard does not require ESP implementations to offer an encryption-only service.
It should say:
Using encryption-only for confidentiality is allowed by ESP. However, it should be noted that in general, this will provide defense only against passive attackers. Using encryption without a strong integrity mechanism on top of it (either in ESP or separately via AH) may render the confidentiality service insecure against some forms of active attacks [Bel96, Kra01, DP07]. Moreover, applying AH before encryption does not protect the encryption-only confidentiality against active attackers [DP10]. ESP allows encryption-only SAs primarily for compatibility with older implementations, and because this may offer better performance. It is noted (and has been demonstrated, e.g. in [DP07]) that ESP in this mode does not provide adequate security even when higher-layer authentication/integrity protection is offered independently. This standard does not require ESP implementations to offer an encryption-only service. [DP07] Jean Paul Degabriele and Kenneth G. Paterson, Attacking the IPsec Standards in Encryption-only Configurations, IACR 2007/125. [DP10] Jean Paul Degabriele and Kenneth G. Paterson: On the (in)security of IPsec in MAC-then-encrypt configurations. ACM Conference on Computer and Communications Security 2010: 493-504.
Notes:
The existing text asserts that ESP in encryption-only mode can in some cases provide "adequate security", even though the sense of the paragraph is in general against it. A series of papers published subsequently to the RFC demonstrate that this assertion is incorrect: active attackers can defeat the confidentiality guarantees, and such attacks are practical.