Re: Proposed changes to ESP (andf a little AH too)

[Robert Moskowitz <rgm3@chrysler.com>]

At 02:10 PM 3/21/97 -0500, Stephen Kent wrote:
>
>	Now for a bigger change!  I suggest that we reverse the order of
>encryption and authentication processing, when both are employed.  Now,
>authentication processing occurs first, then encryption.  This means that a
>receiver must decrypt then autehnticate.  While most systems I have seen in
>the past have adopted this strategy, we are now more concerned with denial
>of service attacks.  A likely common use of ESP is to create VPNs thorugh
>IPSEC implementations in security gateways.  If we reverse the order of
>processing, then a secruity gateway can validate the integrity and
>authenticity of a packet befor edecrypting it, thus rejecting bogus packets
>faster (about twice as fast, in many instances), than if we had to decrypt
>then authenticate.  Combined with the psoposed positional change for the
>counter (suggested above), we now have an ability to reject duplicate or
>spurious packets very quickly, providing better defense against DoS attacks.

Steve, I will admit my limited experience in this matter, but in secure
mail, it makes sense to auth then encrypt to hide identities for traffic
analysis and for gaining identities of protected individuals (like CEOs).

Now does the same argument apply to IPsec?  Would exposing the auth
information reveal more than some would want?


Robert Moskowitz
Chrysler Corporation
(810) 758-8212

---

References:

• Proposed changes to ESP (andf a little AH too)
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: Proposed changes to ESP (andf a little AH too)
• Next by Date: Re: Proposed changes to ESP (andf a little AH too)
• Prev by thread: Re: Proposed changes to ESP (andf a little AH too)
• Next by thread: Re: Proposed changes to ESP (andf a little AH too)
• Index(es):
  • Main
  • Thread