[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed changes to ESP (andf a little AH too)

To: daw@cs.berkeley.edu (David Wagner)
Subject: Re: Proposed changes to ESP (andf a little AH too)
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 25 Mar 1997 11:56:26 -0500
Cc: ipsec@ex.tis.com
In-Reply-To: daw's message of 24 Mar 1997 22:33:06 -0800. <5h7rj2$ng6@joseph.cs.berkeley.edu>
Sender: owner-ipsec@ex.tis.com

> > The main argument against doing encryption first and auth second would
> > be - generally speaking there is no guarantee even if you verified the 
> > CIPHERTEXT correctly,  that the PLAINTEXT finally obtained is the same
> > as was sent.
> 
> That's a robustness argument against authenticating the ciphertext,
> and a pretty good one if the decryption routine is complicated.
> 
> However, if the decryption is simple & easy to analyze, we can (mostly)
> put to rest those fears about authenticating ciphertext.

It's also the case that the bulk of the protocols which will likely be
used inside ESP (IP, UDP, TCP) already use a simple 16-bit checksum,
which will cause most garbled traffic to be dropped.

If we assume that errors where the ciphertext is authenticated but the
decryption is garbled will most likely occur during debugging of new
code or manual keying, then that would seem to be an acceptable risk;
the operator(s) will interpret 99.998% packet loss as 100% packet loss
and start debugging..

We merely need to specify that the IP checksum MUST be supplied on
transmission and verified on receipt for packets nested inside ESP.

						- Bill

References:

Re: Proposed changes to ESP (andf a little AH too)

From: daw@cs.berkeley.edu (David Wagner)

Prev by Date: Re: replay mandatory?
Next by Date: Re: replay mandatory?
Prev by thread: Re: Proposed changes to ESP (andf a little AH too)
Next by thread: Re: Proposed changes to ESP (andf a little AH too)
Index(es):
- Main
- Thread