[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-des-md5-00.txt
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
James, I would suggest in the esp-DES-HMAC-RP transform, the source and
destination addresses of the IP packet (which will carry the IPSEC payload)
be included in the HMAC computation to provide a sense of direction. These
addresses do not have to appear in the actual packet transmitted.
This is to provide some defense against reflection attacks. I think this
is necessary since it is likely the same set of keys will be used in
both directions.
Huh?
All of the proposed key mgmt protocols I've looked at in any detail
generate different keys (and different SPI's) in each direction.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMYaNrFpj/0M1dMJ/AQGOmwP9ECO7L+FKXkVKpka3W2Up8notvGI/JLjN
pZ1N/Uyypb8x0jWDfeDW9DBZswWkmOeBZNkH7lXQc3oLUzadZvCV2jUAO+fahWCy
ipMK+ZgPC+Vp6MXji1QyesHQSABJ1xgtH7q6KHtTmtesePTGS6XiUpWgopq7dITQ
521B2uYhX/A=
=P2Vk
-----END PGP SIGNATURE-----
References: