[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-thayer-seccomp-00.txt

To: Bob Monsour <rmonsour@earthlink.net>
Subject: Re: I-D ACTION:draft-thayer-seccomp-00.txt
From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 08 Aug 1996 18:53:29 -0400
Cc: ipsec@TIS.COM
In-Reply-To: Your message of "Thu, 08 Aug 1996 14:43:08 PDT." <2.2.32.19960808214308.006e95d4@earthlink.net>
Reply-To: perry@piermont.com
Sender: ipsec-approval@neptune.tis.com


Bob Monsour writes:
> I would add that this does pose another problem for the environment where
> there may be a subsystem (say a chip or chipset) which takes an
> under-construction IP datagram as input and performs compression, encryption
> and AH MAC computation, outputting the complete IP datagram to be
> transmitted. Since the AH MAC is computed over the entire IP datagram, the
> datagram/payload length field of the packet is not known until after the
> data is compressed (prior to encryption). In order to avoid making multiple
> passes over the data, I would propose that the definition of the span of the
> MAC for AH eliminate the datagram/payload length field.
> 
> Comments?

That probably lowers security in some environments. Folding in the
length of the datagram makes it harder to fake a datagram with the
same MAC.

Perry

References:

Re: I-D ACTION:draft-thayer-seccomp-00.txt

From: Bob Monsour <rmonsour@earthlink.net>

Prev by Date: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Next by Date: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Prev by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Next by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Index(es):
- Main
- Thread