[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Size of IV field in DES-CBC mode

To: dee@skidrow.tay.dec.com, Carl Muckenhirn <cfm@columbia.sparta.com>
Subject: Re: Size of IV field in DES-CBC mode
From: "Housley, Russ" <housley@spyrus.com>
Date: Tue, 03 Jan 95 14:29:52
Cc: ipsec@ans.net, cfm@columbia.sparta.com
Encoding: 852 Text


Carl Muckenhim said:
     I think that's a wonderful idea (always padding with source address). 
     Using the bottom 4 bytes of an IPv6 address may also work, though there 
     may be some IV-space clashes since they are not guaranteed to be 
     different per-host as IPv4 addrs are. Alternatively use the Senders SAID 
     (we might even be able to reduce the amount of bit shuffling if we put 
     the SAID directly before the IV (with no intervening bits).

In some hardware implementations, it is difficult to use IVs that are not 
generated by the hardware.  While many (maybe even most) implementation of IPSP 
will use software, I would hate to prohibit hardware.

For this reason, I would rather use random IVs and carry the source address in a
protected header when data origin authentication requires an address.

Russ

Prev by Date: Re: End to End integrity
Next by Date: Re: Size of IV field in DES-CBC mode
Prev by thread: Re: End to End integrity
Next by thread: Re: Size of IV field in DES-CBC mode
Index(es):
- Main
- Thread