[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-ietf-ipsec-new-esp-00

To: adams@cisco.com (Rob Adams)
Subject: Re: comments on draft-ietf-ipsec-new-esp-00
From: Stephen Kent <kent@bbn.com>
Date: Sat, 5 Apr 1997 08:14:08 -0500
Cc: ipsec@tis.com
In-Reply-To: <01BC4020.D79923C0@Tastid.cisco.com>
Sender: owner-ipsec@ex.tis.com

Rob,

	Some more responses to your additional comments:

>Section 2.3:
>
>The draft should probably state that the IV should always be a multiple of
>32 bits.
>Or require multiples of 64 for IPv6.


Well, this is really an algorithm independence issue.  We don't get to pick
IV lengths; they are defined by the algorithms.  However, we can require
this field  to be a multiple of 32 bits and note that if the real IV does
not conform to this requiremend, then the algorithm spec will describe how
padding is performed.


>Section 2.4:
>
>To solve the alignment problem, could we always simply require the replay
>field.
>Don't use it if you don't have AH but leave it there with random trash
>otherwise
>to preserve alignment.  I don't believe I'm saying this... %)

Yes, we could, but I hesitate to adopt that approach.  It wastes space in
an IPv4 context, and the presence/absence of an IV also affects the overall
alignment problem, so always requiring the sequence number does not fix
this in all cases anyway.  For example, if one uses the 32-bit IV (for DES
CBC) that is part of the original RFCs, and one allocates 32 bits for the
anti-replay  sequence counter, we have an IPv6 alignment problem anyway!

Steve

References:

comments on draft-ietf-ipsec-new-esp-00

From: adams@cisco.com (Rob Adams)

Prev by Date: Re: comments on draft-ietf-new-auth-00
Next by Date: Re: Manual keying and replay prevention and ISAKMP negotiation
Prev by thread: comments on draft-ietf-ipsec-new-esp-00
Next by thread: Re: comments on draft-ietf-ipsec-new-esp-00
Index(es):
- Main
- Thread