[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE:draft-ietf-ipsec-des-md5-00.txt

To: hughes@network.com
Subject: RE:draft-ietf-ipsec-des-md5-00.txt
From: pau@watson.ibm.com
Date: Tue, 30 Apr 1996 17:35:15 -0400
Cc: ipsec@TIS.COM
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Sender: ipsec-approval@neptune.tis.com

James, I would suggest in the esp-DES-HMAC-RP transform, the source and
destination addresses of the IP packet (which will carry the IPSEC payload)
be included in the HMAC computation to provide a sense of direction. These
addresses do not have to appear in the actual packet transmitted.

This is to provide some defense against reflection attacks. I think this
is necessary since it is likely the same set of keys will be used in
both directions.

I must admit I am not sure if it is possible for some routers to change
the source/destination addresses during transmission.


Regards, Pau-Chen

Follow-Ups:

Re: draft-ietf-ipsec-des-md5-00.txt

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: draft-ietf-ipsec-ah-hmac-sha-00.txt
Next by Date: Re: draft-ietf-ipsec-des-md5-00.txt
Prev by thread: draft-ietf-ipsec-ah-hmac-sha-00.txt
Next by thread: Re: draft-ietf-ipsec-des-md5-00.txt
Index(es):
- Main
- Thread