[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: End to End integrity (was 4 byte vs 8 byte IVs for DES)
>in San Jose. For very good reasons (so that you can have guarantees
>about the integrity of the addresses) Ran's spec for v6 includes a
>pseudoheader consisting of the invariant parts of the header of the IP
>datagram in his authentication header. I strongly feel we should be
>specifying something similar. This is doubly important in the
I'm not sure I agree. I think there's a fairly widespread feeling that
the pseudoheaders in the UDP and TCP checksums were a mistake, or at
least not really necessary. Even if deliberate misrouting is an issue,
what good would it do you given that each host pair has its own unique
key anyway?
I haven't thought as much about multicast, but it seems to me there's
not much you can do to protect against a rogue member who already has
the session key. Other than rekeying to exclude him, of course.
Phil
Follow-Ups:
References: