[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Derived versus Explicit IV



   Date: Wed, 23 Jul 1997 23:11:09 -0400
   From: Norman Shulman <norm@tor.securecomputing.com>

   Authentication can be provided by a separate AH header. For
   interoperability, it doesn't matter how the 32-bit IV is
   generated. RFC-1829 implementations won't be compliant, but at least
   they will be compatible.

That's simply not true.  RFC-1829 implementations are allowed to pick
random IV's --- it doesn't specify how the IV's are picked at all.  If
they do so, they won't be complaint with the latest ESP, because that
field is where the sequence number goes, which must be a sequentially
incrementing field starting at zero.

Therefore, RFC-1829 implementations can not be counted upon to be
compatible with the new ESP, no matter whether you use an explicit or
derived IV.

   > Finally, if you need to support both the old manual keying way of doing
   > things and the new key-management way of doing things, the extra code to
   > support a new cipher algorithm is minimal; the size of your DES, MD5,
   > SHA, et. al. implementation will completely dwarf the extra code you
   > need to support the new way of handling the sequence number and IV
   > (which is after all, simply byte juggling).

   Why add unnecessary complexity?

We made changes to the ESP protocol --- by adding a sequence number
field, and adding an authenticator --- to improve ESP's security.  The
old ESP was flawed; we fixed it.  Sometimes such fixes imply
incompatible changes.  Life's rough sometimes.

						- Ted


Follow-Ups: References: