[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-ah-md5-00.txt

To: hugo@watson.ibm.com
Subject: Re: draft-ietf-ipsec-ah-md5-00.txt
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 17 Jan 1995 11:06:00 -0500
Cc: perry@imsi.com, IPSEC@ans.net
In-Reply-To: Your message of "Tue, 17 Jan 1995 10:53:55 EST." <199501171557.KAA21461@wintermute.imsi.com>
Reply-To: perry@imsi.com


hugo@watson.ibm.com says:
>  > It does. See rfc791 on IP. Total length always occupies the third and
>  > fourth octet of the IP header.
> 
> The minimal thing is to explicitely write in the draft that one is relying
> on the fixed offset for security;

I have no objections to adding such a comment into our draft.

> a better thing is not to rely on that and append the key.

Do you think this would really provide a benefit given the specialized
nature of the thing we are authenticating (that is, IP packets with
explicit lengths)? If this is really a consideration for legitimate
cryptographic reasons, I believe the IPv6 working group should also be
convinced to alter their spec as they would be vulnerable for
precisely the same reasons. What kind of attack do you think could be
mounted on the scheme, given the existance of an explicit length?

Perry

Follow-Ups:

Re: draft-ietf-ipsec-ah-md5-00.txt

From: Theodore Ts'o <tytso@MIT.EDU>

Prev by Date: draft-ietf-ipsec-ah-md5-00.txt
Next by Date: Re: draft-ietf-ipsec-<many>-00.txt
Prev by thread: draft-ietf-ipsec-ah-md5-00.txt
Next by thread: Re: draft-ietf-ipsec-ah-md5-00.txt
Index(es):
- Main
- Thread