[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new ESP spec (bigger message)



Dan,


>> 2.4  Payload Data

<SNIP! SNIP!>

>This isn't a real problem for IPv6.  The reason for the 8-byte alignment
>drive in IPv6 was to make fast-path processing faster.  (Those of us with
>UltraSPARC appreciate this.)  Since ESP is already beating down the slow
>path, this isn't as huge of a deal as one might think at first.  Also, a
>properly formed IPv6 datagram will be 8-byte aligned once you strip out the
>ESP cruft after decryption.
>
>There's always crypto-algorithm alignment issues, but I leave those to the
>crypto wizards.

Good to hear that view from an IPv6 perspective, but we are crypto people too!


>> 3.2.4.3  Authentication Algorithms

<SNIP! SNIP!>

>Is the HMAC trunctated for use in ESP?!?  I hadn't heard any movement to do
>so, but I sometimes miss these things.

We were going for consistency here.  There's no reason to believe that if
96 bits is good enough for authentication/integrity in AH that it isn't
good enough for the same services in ESP.

Steve




References: