[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Granularity of authentication in swIPe
- To: Steve Kent <kent@BBN.COM>
- Subject: Re: Granularity of authentication in swIPe
- From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
- Date: Wed, 22 Jun 94 16:07:53 EDT
- Address: 1 Amherst St., Cambridge, MA 02139
- Cc: Theodore Ts'o <tytso@MIT.EDU>, ipsec@ans.net
- In-Reply-To: Steve Kent's message of Wed, 22 Jun 94 15:42:00 -0400,<9406221951.AA14663@MIT.EDU>
- Phone: (617) 253-8091
Date: Wed, 22 Jun 94 15:42:00 -0400
From: Steve Kent <kent@BBN.COM>
You're right, if you want to require that the crypto interface
parse the IPSP header, then IPSP treat the use of a sequence number as
IV uniformly. Your view is that the associated modulariy doesn't seem
to be worhtwhile; my view is that the proposed space-saving hack
doesn't seem to be worth violating modularity.
It doesn't need to *parse* the IPSP header --- the IPSP layer can merely
pass the parsed header in a structure to the crypto routine. Some
crypto routines may use the header information; and some crypto routines
won't. Presumably, systems where actual crypto is performed by a Top
Secret magic mystical black box which self-destructs using thermite if
you look at it the wrong way, may not use the header information. But
at this point, we're talking about implementation details of each
particular crypto system. I don't see a terrible modularity violation
--- certainly it's no worse than what say, what CSLIP does.
- Ted
Follow-Ups: