[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: risks of MACs associated with packets

To: Derrell Piper <PIPER@BILBO.TGV.COM>
Subject: Re: risks of MACs associated with packets
From: smb@research.att.com
Date: Mon, 30 Jan 95 15:41:21 EST
Cc: ipsec@ans.net

	 I also think the authentication info should be outside of the ESP 
	 so that bogus packets can be detected without having to decrypt the
	 whole packet...

I don't think this makes much differences.  While MD5 and the like are
cheaper than DES, they're not that much cheaper.  Philosophically, a
denial of service attack can occur when it's cheaper for your enemy
to send messages than it is for you to process them.  But in this
case, the enemy's transmission process is very cheap:  a random packet
generator.  That's true whether the verification is done by decryption
or by MD5.  In either case, your machine will take a tremendous hit.

Follow-Ups:

Re: risks of MACs associated with packets

From: "Donald E. Eastlake 3rd (Beast)" <dee@skidrow.tay.dec.com>

Prev by Date: Re: Fwd: Use of Keyed MD5
Next by Date: Re: AH-MD5
Prev by thread: Re: risks of MACs associated with packets
Next by thread: Re: risks of MACs associated with packets
Index(es):
- Main
- Thread