[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Alternative transform encapsulation scheme
> From: smb@research.att.com
> Date: Sat, 09 Mar 96 14:48:32 EST
>
> There's a lot that needs to be rethought. I could quite easily be
> persuaded that we shouldn't -- we've got to get this stuff
> deployed ASAP.
I'm with Bellovin on this. I don't think we need a non-orthogonal
transform (even though I've written a draft).
The deployed AH-MD5 + ESP-DES is adequate.
> that we should simply decree that ESP
> must be used only in conjunction with AH
We already did, when the ESP transform doesn't provide integrity!!!
In addition to the numerous references in RFC-1825, -1826, and -1827,
RFC-1829 (ESP-DES) clearly states:
The usual (ICMP, TCP, UDP) transport checksum can detect
this attack, but on its own is not considered cryptographically
strong. In this situation, user or connection oriented integrity
checking is needed [RFC-1826].
And you promised to write up a more thorough analysis of your attack....
> One small change -- the addition of replay protection --
> does seem to be needed, though.
>
Why? Doesn't the underlying transport _already_ protect against replay?
That is, TCP and ICMP already protect themselves against replay.
So, you are recommending that the next version of -1826 provide a replay
prevention mechanism? We've discussed this before, but Atkinson was
opposed.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2