[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: Address as IV [was] Size of IV field in DES-CBC mode
Carl,
>Is IPSP associated with the IP-layer or not? If it is, then a unique IP
>address must be available at each end of the "association", it may be a "red"
>address, unknown to the network at large, or a "black" address, available to
>the network at large. In either case, for the datagram to be delivered to a
>decryptor, it must be addressable, and the encryptor-decrytor pair must know
>each other's "encrypting" address.
In the real world, IP addresses are not always end-to-end. Examples:
- Tunneling of non-IP protocols
- Mobile IP
- IP / IPSP1 / IPSP2 (double encryption with IPSP)
note that an address may be available implicily to IPSP2 but not explicitly
Also, consider router-like scenarios where a device decrypts traffic for
multiple addresses. Traffic between pairs of router-like devices could be
protected with a single SAID, even though there might be several visible
"black" addresses.
We should not limit the usage of IPSP by using specific IP fields outside of
the IPSP encapsulation. For our specific descussion on IVs, there are several
other viable options.
>The other option is that IPSP is associated with the transport layer, where
>several IP providers (addresses) may map to a particular transport provider.
>But this option is hard to accommodate at gateways.
I do not know what you mean here and it seems of the topic of IVs for DES-CBC
...
Paul
Follow-Ups: