[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: replay field size



> Should AH and ESP both have a fixed size replay counter ? (Yes/No/Don't
> Care)

No.

Listen folks, it ain't that hard to build.  Replay counter size is a function
of what is negotiated in the SA.  You have all the data right there.  Use the
information in the association and set your pointers accordingly.  The
annoyance of checking for variable-sized replay counters is lost in the noise
of a CPU-hungry HMAC calculation.  Even if you have hardware-assist on the
HMAC, the memory access time will at least be dominant, if not overwhelming.

Let's not forget IPv6 alignment requirements, too!  Though admittedly,
creative padding can fix this problem.

> Should SHA-1 output be truncated to 128 bits from 160 bits ? (Yes/No/Don't
> Care)

Yes, simply because I trust Hugo's opinion on this.

Dan


Follow-Ups: