[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP revisions straw poll

To: Charles Lynn <clynn@bbn.com>
Subject: Re: ESP revisions straw poll
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Sat, 17 May 1997 01:52:04 +0100
cc: ipsec@tis.com
In-reply-to: Your message of "Sat, 17 May 1997 00:42:31 EDT." <199705170521.BAA27799@codex.cis.upenn.edu>
Sender: owner-ipsec@ex.tis.com

In message <199705170521.BAA27799@codex.cis.upenn.edu>, Charles Lynn writes:
>
>Yes, that is one way to work around the problem.  Cost: 20 (40)
>unnecessary bytes per IPv4 (IPv6) packet sent over the lifetime of the
>protocol.  When viewed from the perspective of a security gateway,
>[IP][IP][AH][IP][whatever], just makes things more likely to run into
>path MTU / fragmentation problems.

That's true. I was only saying that one can do that if one really
wants to. But i believe that one shouldn't care. Opinions obviously
vary.

>Yes, it has been discussed for a long while.  There was a request for
>a poll and I responded with what I think is the best solution and
>my rational for thinking so.

Apologies if it seemed like i was dismissing your opinion and
rational. I was just counter arguing.

>Good points.  But providing functionality needed by several layer N
>protocols at a lower layer has merit.

As long as this doesn't break things or makes them more complicated
than they ought to be (and they're complicated enough as it is).

>Since you raised the issue, do you know the rational for that
>decision?  I can see how it might make construction of third party
>wire tapping devices a little easier.  However, as an implementor, I

An SPI is guaranteed (supposedly) to be unique per address. That makes
the pair SPI/address unique on any lookup table. SPIs are needed
because two boxes might have more than one SAs shared, and addresses
are needed to distinguish between the same SPI value among different
boxes. Presumably, the issuer of SPIs issues unique SPIs per box,
which means the same SPI will not occur for more than one address of
that box. Given that, the receiver of an IPsec packet need not concern
oneself with the address once he's established that the packet is
destined for him. Hope this answers.

[At this point, your message was destroyed by MH...fun. So i probably
 missed what you said about dynamic IP.]

>No.  Maybe a picture would help.
[snip]

I see the problem now. About something you mentioned: all the
implementations i've been involved in do in-place decryption, so
copying would be unnecessary.

I suppose 64-bit multiple IVs is reasonable then.
Cheers,
-Angelos

Prev by Date: Re: ESP revisions straw poll
Next by Date: Re: ESP revisions straw poll
Prev by thread: Re: ESP revisions straw poll
Next by thread: Re: ESP revisions straw poll
Index(es):
- Main
- Thread