[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: My current thoughts on IPSEC

To: hughes@hughes.network.com (James P. Hughes)
Subject: Re: Re[2]: My current thoughts on IPSEC
From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 20 May 1994 12:23:42 -0400
Cc: "Donald E. Eastlake 3rd (Beast)" <dee@skidrow.lkg.dec.com>, "Housley, Russ" <housley@spyrus.com>, ipsec@ans.net
In-Reply-To: Your message of "Fri, 20 May 1994 10:43:52 CDT." <9405201043.ZM4373@hughes.network.com>
Reply-To: perry@imsi.com


James P. Hughes says:
> 
> > I think the simplest answer is not to use the same key for both
> > directions.
> 
> This is possible even if a single key negotiation is used.
> 
> I.e, when the Diffie Hellman "negotiation" is complete, there is at least 512
> bilts of common random data at both ends. This is more than enough for 2
> symetric keys of almost any algorithm I know of.

In systems such as swIPe, the real headers of the packets are stored
in the fully encrypted payload, and in any case all the TCP and
similar higher layers know how to deal with duplicated and missing
packets since they were built without any guarantees that the IP layer
would not do such things.  Replaying a packet in the opposite
direction won't work, and replaying a packet to a machine won't work.

I hope everyone on this group has read the swIPe draft.

Perry

References:

Re: Re[2]: My current thoughts on IPSEC

From: hughes@hughes.network.com (James P. Hughes)

Prev by Date: Re: Re[2]: My current thoughts on IPSEC
Next by Date: Re: Re[2]: My current thoughts on IPSEC
Prev by thread: Re: Re[2]: My current thoughts on IPSEC
Next by thread: Re: Re[2]: My current thoughts on IPSEC
Index(es):
- Main
- Thread