Why no ESP-NULL?

mmcc · Aug 26, 2011, 2:23 PM

I've got an application in mind where authentication and data integrity is important, but confidentiality not so much. I'd like to do IPSec without encryption.

I've tried setting up an AH tunnel, but without luck (subject of a different thread). The other option seems to be using the NULL encryption option:

http://www.ietf.org/rfc/rfc2410.txt

However, this isn't supported by pfSense.

Is there any particular reason?

jimp · Aug 26, 2011, 3:05 PM

If it's pfSense on both ends, we do support the null cipher in OpenVPN.

mmcc · Aug 26, 2011, 3:07 PM

I did not know that. Unfortunately, it will not be pfSense on both ends, and on the non-pfSense end only IPSec will be possible.

jimp · Aug 26, 2011, 3:09 PM

Then AH would be what you'd be after then. I've never tried AH so I'm not sure on the particulars, but in theory it should do the job.

mmcc · Aug 26, 2011, 3:11 PM

I am indeed after AH. Unfortunately, that hasn't been going terribly well :) (see the next thread down).

With respect to esp-null, I was just curious if there was a particular reason it hadn't been implemented, or if it just hadn't bubbled to the top.

Thanks!

jimp · Aug 26, 2011, 3:13 PM

Nobody has ever asked for esp-null to my knowledge, so it's probably lack of demand (and hence lack of funding or submitted code).

The use cases for it are pretty rare as well.