[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Derived versus Explicit IV
>
> Thus the new ESP is compatible with the old ESP?
To answer both of your messages, here's what we're talking about:
Old ESP+DES (with 32-bit IV): NEW ESP + ciph-des-derived:
32bits SPI 32bits SPI
32bits IV 32bits Sequence number
<var> ciphertext <var> ciphertext
<var> pad <var> pad
8bits padlen 8bits padlen
8bits nextheader 8bits nextheader
Looks like the same packet to me, especially when the "IV derived from
Sequence Number" algorithm is the same as the old RFC1829 "convert 32-bit IV
to 64 bit IV" algorithm.
Therefore, ciph-des-derived MUST be mandatory-to-implement, in order that
new products retain backwards compatability with old products.
> But are you saying that these vendors who have already shipped RFC1829
> compliant products do not wish to upgrade their product to the newer
> IPSec standard?
Yes, but we can't require that customers upgrade their deployed equipment
(especially with a "flag day" due to incompatabilities).
> Vendor's who released implementations on draft documents or on RFCs that
> have been obsoleted obviously realized that the protocol would change
> and they would have to upgrade their IPSec implementation.
RFC 1827/1829 are both IETF Proposed Standards. Like it or not, they're out
in the field, and have been for almost TWO YEARS. This is the price this
working group pays for its glacial progress.
--
Harald
References: