Re: IVs, summary of discussion

["Housley, Russ" <housley@spyrus.com>]

IPSECers:

>   So I take it that there's general agreement that Mode 1 encryption
>   (single key DES/CBC, as we've already discussed) can use the IPv4 ID 
>   field as the IV? Remember that we intend this mode to be mandatory in 
>   all IPSEC implementations to provide basic interoperability (only the 
>   implementation is mandatory, not its actual use). So it's really
>   important that it not be too difficult to add to existing 
>   implementations.
> 
> Except, of course, that IPv6 doesn't have the id field.

I would prefer one protocol data unit format that is appropriate for the 
use with IPv4 and IPv6.  I understand Phil's overhead concerns, but I think 
that the mandatory option set must work in both IPv4 and IPv6.

That said, I would prefer that the mandatory option set include the best 
possible security principles.  After all, we are designing a security 
protocol.  In some environments, less security may be traded off for 
improved performance, but in my opinion, less security should not be the 
default.

Russ

---

Follow-Ups:

• Re: IVs, summary of discussion
• From: Phil Karn <karn@qualcomm.com>

---

• Prev by Date: Re: IVs, summary of discussion
• Next by Date: Re: IVs, summary of discussion
• Prev by thread: Re: IVs, summary of discussion
• Next by thread: Re: IVs, summary of discussion
• Index(es):
  • Main
  • Thread