[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on IPSEC work

To: paalh@nta.no
Subject: Re: Comments on IPSEC work
From: "Housley, Russ" <housley@spyrus.com>
Date: Thu, 03 Mar 94 07:52:29
Cc: ipsec@ans.net
Encoding: 1164 Text


Paal:

You say:
   - It is unclear why the author introduces an additional protocol
     type (the IPPROTO_SWIPE).

Many management packages look inside packets.  There must be a protocol 
identifier that warns these packages that they will not be able to 
parse the contents of the IP datagram.  That is, the IP datagram is not 
carrying TCP or UDP.

You say:
   - The swIPe protocol claims to support a "wide variety" of crypto
     systems. Well, this wide variety actually excludes all stream 
     ciphers. If you use a stream-cipher, you will have to carry 
     some use-and-discard crypto synchronization per packet, such as 
     a random IV or an encrypted random packet encryption key.
     There is no room for this in the swIPe header.

Why can't you simply prepend the IV to the ciphertext?  The ciphertext will 
be longer than the plaintext, but I do not see this as a problem.  Do you?

You say:
   - A good thing about swIPe is that it its header is word aligned.

I agree.  Many client protocols to IP assume that they are word aligned.  This 
is not true of OSI protocols, so NLSP does not address this issue.

Russ

Prev by Date: Re: swIPe stuff
Next by Date: Re: SWIPE
Prev by thread: Encryption flamefest
Next by thread: Re: SWIPE
Index(es):
- Main
- Thread