RFC 4301, "Security Architecture for the Internet Protocol", December 2005Source of RFC: ipsec (sec)
Errata ID: 6635
Publication Format(s) : TEXT
Reported By: Isaac Lewis
Date Reported: 2021-07-09
Rejected by: Benjamin Kaduk
Date Rejected: 2021-07-21
Section 3.2 says:
Note that ESP can be used to provide only integrity, without confidentiality, making it comparable to AH in most contexts.
It should say:
Note that ESP can be used to provide both integrity and confidentiality.
The original sentence contradicts the following one in the same section:
o The Encapsulating Security Payload (ESP) protocol [Ken05a] offers
the same set of services, and also offers confidentiality.
The original text is conveying the intended sentiment, namely that: despite primarily being a mechanism to provide both confidentiality and integrity protection, ESP can also be configured in a mode that only provides integrity protection and not confidentiality protection. Such a mode is essentially directly analogous to what AH provides, and thus this statement supports the downgrading of AH support to only a MAY-level requirement.