[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks



Bill,

	If you reread my recent message on this topic, you'll find
that I changed my mind about sequence numbers not based on the
rationale put forth by the swipe proponents, but as an anti-replay
countermeasure in the context of denial of service attacks.  So, yes,
I did change my mind, but I did not do so because I "saw the light"
in the arguments put forth by the original proponents.

	There is certainly merit in having an authentication-only
protocol at the IP layer, and for having an encryption-only protocol
configuration.  However, I worry that the current definition for AH is
rather schizophrenic in terms of what data is covered by the
authenticity/integrity check.  It would be much cleaner if AH always
covered a whole IP datagram.  That argues for a version of ESP that
could provide integrity and authenticity for ULP only, in conjunction
with encryption.  I'd like to see ESP re-defined with a facility for
this integrity feature, plus a sequence number feature, both as
optional parts of the top-level ESP spec.  (While we're at it, let's
put in space for an optional IV as well.)  Then the ESP variants
really would differ only based on algorithms and modes.  

	I think we can still set this up to preserve 32-bit alignment
and to take up no more space for encryption-only uses of the protocol.
However, when we could now have both an ESP and an embedded AH header
(to cover ULP data), we could have just an ESP header with the right
features turned on.  This would be more space efficient and probably
slighter (marginally?) faster to process.  It certainly would be
easier to explain to people.  And, as you suggested, this is all
something that is negotiated during security association
establishment. 

Steve