[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: risks of MACs associated with packets




But even if computation is the same, unencyrpting and then
authenticating is at least a factor of two more work.

Donald

From:  smb@research.att.com
To:  Derrell Piper <PIPER@BILBO.TGV.COM>
Cc:  ipsec@ans.net
>	 I also think the authentication info should be outside of the ESP 
>	 so that bogus packets can be detected without having to decrypt the
>	 whole packet...
>
>I don't think this makes much differences.  While MD5 and the like are
>cheaper than DES, they're not that much cheaper.  Philosophically, a
>denial of service attack can occur when it's cheaper for your enemy
>to send messages than it is for you to process them.  But in this
>case, the enemy's transmission process is very cheap:  a random packet
>generator.  That's true whether the verification is done by decryption
>or by MD5.  In either case, your machine will take a tremendous hit.


References: