[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[4]: Address as IV [was] Size of IV field in DES-CBC m
Perry,
>In this context, however, we would assume that the encrypting IPSP
>tunnel would have to end at the end of the IP tunnel since IPSP is
>only defined in an IP context. (other contexts might be defined but
>this being the IETF we concern ourselves with IP.)
You are correct that the scope of our work is to protect IP. My end-to-endness
issue is valid primarily for mixed (IP and non-IP) environments.
The binding of IP addresses to an SAID need not be one-to-one. A pair of
router-like devices can communicate over a single security association (one
SAID), but use multiple "black" IP addresses. This is part of a more
complicated scenario that is partially documented in the SP3 cooperating
families appendix (see the NIST publication). I am not a strong advocate of
this approach, but once again, if possible we should not limit the capabilities
of IPSP by our choice of an IV extension mechanism.
There seem to be lots of other alternatives for IV extension ....
Paul