End to End integrity (was 4 byte vs 8 byte IVs for DES)

["Perry E. Metzger" <perry@imsi.com>]

Paul_Lambert-P15452@email.mot.com says:
> Violating protocol layering is usually a bad idea.  Environments
> exist where an end-system address may not follow the SAID
> end-to-end.  IP addresses are supposed to be end-to-end, but many
> real systems translate the addresses.

I'll point out something that we didn't discuss in sufficient detail
in San Jose. For very good reasons (so that you can have guarantees
about the integrity of the addresses) Ran's spec for v6 includes a
pseudoheader consisting of the invariant parts of the header of the IP
datagram in his authentication header. I strongly feel we should be
specifying something similar. This is doubly important in the
multicast case where a third party could simply re-label the origin of
the packet without any knowledge at all of the contents or key and
still have it check out just fine if the origin and destination
addresses are changed.

Given that you need to be able to maintain end to end integrity of the
source and destination addresses, some of your arguments become a bit
more interesting/different...

Perry

---

Follow-Ups:

• Re: End to End integrity (was 4 byte vs 8 byte IVs for DES)
• From: Phil Karn <karn@unix.ka9q.ampr.org>

References:

• Address as IV [was] Size of IV field in DES-CBC mode
• From: Paul_Lambert-P15452@email.mot.com

---

• Prev by Date: Re: Re[3]: Clarification: NRP's licensing status & IKMP
• Next by Date: Re: Size of IV field in DES-CBC mode
• Prev by thread: Re: Address as IV [was] Size of IV field in DES-CBC mode
• Next by thread: Re: End to End integrity (was 4 byte vs 8 byte IVs for DES)
• Index(es):
  • Main
  • Thread