[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IVs, summary of discussion
IPSECers:
> So I take it that there's general agreement that Mode 1 encryption
> (single key DES/CBC, as we've already discussed) can use the IPv4 ID
> field as the IV? Remember that we intend this mode to be mandatory in
> all IPSEC implementations to provide basic interoperability (only the
> implementation is mandatory, not its actual use). So it's really
> important that it not be too difficult to add to existing
> implementations.
>
> Except, of course, that IPv6 doesn't have the id field.
I would prefer one protocol data unit format that is appropriate for the
use with IPv4 and IPv6. I understand Phil's overhead concerns, but I think
that the mandatory option set must work in both IPv4 and IPv6.
That said, I would prefer that the mandatory option set include the best
possible security principles. After all, we are designing a security
protocol. In some environments, less security may be traded off for
improved performance, but in my opinion, less security should not be the
default.
Russ
Follow-Ups: