[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-des-md5-00.txt



-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

   James, I would suggest in the esp-DES-HMAC-RP transform, the source and
   destination addresses of the IP packet (which will carry the IPSEC payload)
   be included in the HMAC computation to provide a sense of direction. These
   addresses do not have to appear in the actual packet transmitted.
   
   This is to provide some defense against reflection attacks. I think this
   is necessary since it is likely the same set of keys will be used in
   both directions.

Huh?

All of the proposed key mgmt protocols I've looked at in any detail
generate different keys (and different SPI's) in each direction.

					- Bill




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMYaNrFpj/0M1dMJ/AQGOmwP9ECO7L+FKXkVKpka3W2Up8notvGI/JLjN
pZ1N/Uyypb8x0jWDfeDW9DBZswWkmOeBZNkH7lXQc3oLUzadZvCV2jUAO+fahWCy
ipMK+ZgPC+Vp6MXji1QyesHQSABJ1xgtH7q6KHtTmtesePTGS6XiUpWgopq7dITQ
521B2uYhX/A=
=P2Vk
-----END PGP SIGNATURE-----


References: