RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005

Source of RFC: ipsec (sec)

Errata ID: 3876
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Yaron Sheffer
Date Reported: 2014-01-31
Held for Document Update by: Stephen Farrell
Date Held: 2014-05-08

Section Introduction says:

Using encryption-only for confidentiality is allowed by ESP. However, it
should be noted that in general, this will provide defense only against
passive attackers.  Using encryption without a strong integrity
mechanism on top of it (either in ESP or separately via AH) may render
the confidentiality service insecure against some forms of active
attacks [Bel96, Kra01].  Moreover, an underlying integrity service, such
as AH, applied before encryption does not necessarily protect the
encryption-only confidentiality against active attackers [Kra01]. ESP
allows encryption-only SAs because this may offer considerably better
performance and still provide adequate security, e.g., when higher-layer
authentication/integrity protection is offered independently. However,
this standard does not require ESP implementations to offer an
encryption-only service.

It should say:

Using encryption-only for confidentiality is allowed by ESP.
However, it should be noted that in general, this will provide defense
only against passive attackers.  Using encryption without a strong
integrity mechanism on top of it (either in ESP or separately via AH)
may render the confidentiality service insecure against some forms of
active attacks [Bel96, Kra01, DP07].  Moreover, applying AH
before encryption does not protect the encryption-only
confidentiality against active attackers [DP10]. ESP
allows encryption-only SAs primarily for compatibility with older
implementations, and because this may offer better performance.
It is noted (and has been demonstrated, e.g. in [DP07]) that
ESP in this mode does not provide adequate security even when
higher-layer authentication/integrity protection is offered
independently. This standard does not require ESP implementations to
offer an encryption-only service.

[DP07] Jean Paul Degabriele and Kenneth G. Paterson, Attacking the
IPsec Standards in Encryption-only Configurations, IACR 2007/125.

[DP10] Jean Paul Degabriele and Kenneth G. Paterson: On the
(in)security of IPsec in MAC-then-encrypt configurations.
ACM Conference on Computer and Communications Security 2010:
493-504. 

Notes:

The existing text asserts that ESP in encryption-only mode can in some cases provide "adequate security", even though the sense of the paragraph is in general against it. A series of papers published subsequently to the RFC demonstrate that this assertion is incorrect: active attackers can defeat the confidentiality guarantees, and such attacks are practical.

Report New Errata