[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proposed changes to ESP (andf a little AH too)

To: sommerfeld@apollo.hp.com, daw@cs.berkeley.edu
Subject: Proposed changes to ESP (andf a little AH too)
From: HUGO@watson.ibm.com
Date: Tue, 25 Mar 97 14:12:31 EST
cc: ipsec@ex.tis.com
Sender: owner-ipsec@ex.tis.com

Ref:  Your note of Tue, 25 Mar 1997 11:56:26 -0500 (attached)

I agree with both Bill's note attached here,
and Dave Wagner's comments in a recent note.

If the choice would be pure cryptographic I might be inclined for the
current authenticate-the-plaintext (and encrypt the MAC) approach.
It better captures the real objective which is to authenticate the
plaintext rather than the ciphertext.
However, the other approach is not bad enough as to be immediately
disqualified.

If authenticate-the-ciphertext is chosen, it will be important to have
some remarks in the draft in the lines of Dave's note.

The real question to decide in this WG is whether the advantage against
denial of service attacks provided by the authenticate-the-ciphertext
approach is important enough to risk even further delay of ipsec
deployment (which is also a form of denial-of-service attack :)

In other words, if any of these discussion cannot be resolved by Memphis
leave it the way it is now and go forward.

Hugo

----------------------------- Note follows ------------------------------
Received: from mailhub1.watson.ibm.com by yktvmv.watson.ibm.com
   (IBM VM SMTP V2R4) with TCP; Tue, 25 Mar 97 12:19:36 EST
Received: from igw2.watson.ibm.com (igw2.watson.ibm.com [9.2.250.12]) by mailhub1.watson.ibm.com (8.8.2/01-15-97) with ESMTP id
MAA43726; Tue, 25 Mar 1997 12:19:35 -0500
Received: from portal.ex.tis.com (portal.ex.tis.com [192.94.214.101]) by igw2.watson.ibm.com (8.7.6/8.7.1) with ESMTP id MAA24364;
Tue, 25 Mar 1997 12:18:56 -0500
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA10498 for ipsec-outgoing; Tue, 25 Mar 1997 11:51:56
-0500 (EST)
Message-Id: <199703251656.LAA02300@thunk.ch.apollo.hp.com>
X-Authentication-Warning: thunk.ch.apollo.hp.com: sommerfeld owned process doing -bs
To: daw@cs.berkeley.edu (David Wagner)
Cc: ipsec@ex.tis.com
Subject: Re: Proposed changes to ESP (andf a little AH too)
In-Reply-To: daw's message of 24 Mar 1997 22:33:06 -0800.
	     <5h7rj2$ng6@joseph.cs.berkeley.edu>
Date: Tue, 25 Mar 1997 11:56:26 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

> > The main argument against doing encryption first and auth second would
> > be - generally speaking there is no guarantee even if you verified the
> > CIPHERTEXT correctly,  that the PLAINTEXT finally obtained is the same
> > as was sent.
>
> That's a robustness argument against authenticating the ciphertext,
> and a pretty good one if the decryption routine is complicated.
>
> However, if the decryption is simple & easy to analyze, we can (mostly)
> put to rest those fears about authenticating ciphertext.

It's also the case that the bulk of the protocols which will likely be
used inside ESP (IP, UDP, TCP) already use a simple 16-bit checksum,
which will cause most garbled traffic to be dropped.

If we assume that errors where the ciphertext is authenticated but the
decryption is garbled will most likely occur during debugging of new
code or manual keying, then that would seem to be an acceptable risk;
the operator(s) will interpret 99.998% packet loss as 100% packet loss
and start debugging..

We merely need to specify that the IP checksum MUST be supplied on
transmission and verified on receipt for packets nested inside ESP.

						- Bill

Prev by Date: Re: replay mandatory?
Next by Date: Re: replay mandatory?
Prev by thread: Re: Proposed changes to ESP (andf a little AH too)
Next by thread: Re: Proposed changes to ESP (andf a little AH too)
Index(es):
- Main
- Thread