[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Granularity of authentication in swIPe

To: perry@imsi.com
Subject: Re: Granularity of authentication in swIPe
From: Steve Kent <kent@BBN.COM>
Date: Wed, 22 Jun 94 11:20:57 -0400
Cc: ipsec@ans.net
In-Reply-To: Your message of Wed, 22 Jun 94 10:57:16 -0400. <9406221457.AA02772@snark.imsi.com>

Perry,

	The most efficient approach to solving a problem is almost
never the most general one as well.  I think you aer saying that an IV
field should not be an explicit part of IPSP.  I agree that one can
make the presence or absence of an IV a function of the encryption
algorithm being used and that's a reasonable approach.  One can not
provide an explicit IV field, but rather declare that an IV, if
present, must be prepended to the ciphertext portion of the packet.
That approach may reduce copying and it makes the size and any
structure of the IV is not visible to any IPSP software.  This is a
nice, object-orneited approach that should make it easy to use
different algorithms with IPSP.

	However, if one wants to save space in the header by reusing
the sequence number as the IV, this is in conflcit with the approach
described above.  Rather, the IPSP would have to pass the sequence
number field to the crypto software as an IV and that would require
that IPSP "know" that the sequence number was being used as an IV by
some algorithms.  That strikes me as not conducive to a modular IPSP
design, and thus I am arguing against it.  

Steve

Follow-Ups:

Re: Granularity of authentication in swIPe

From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)

References:

Re: Granularity of authentication in swIPe

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: Granularity of authentication in swIPe
Next by Date: Fwd: Security architectures, anyone?
Prev by thread: Re: Granularity of authentication in swIPe
Next by thread: Re: Granularity of authentication in swIPe
Index(es):
- Main
- Thread