[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE:draft-ietf-ipsec-des-md5-00.txt
James, I would suggest in the esp-DES-HMAC-RP transform, the source and
destination addresses of the IP packet (which will carry the IPSEC payload)
be included in the HMAC computation to provide a sense of direction. These
addresses do not have to appear in the actual packet transmitted.
This is to provide some defense against reflection attacks. I think this
is necessary since it is likely the same set of keys will be used in
both directions.
I must admit I am not sure if it is possible for some routers to change
the source/destination addresses during transmission.
Regards, Pau-Chen
Follow-Ups: