[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New draft -- IPSEC ESP

To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Subject: Re: New draft -- IPSEC ESP
From: Stephen Kent <kent@bbn.com>
Date: Thu, 24 Jul 1997 18:43:51 -0400
Cc: ipsec@tis.com
In-Reply-To: <199707222229.SAA17948@dcl.MIT.EDU>
References: Marc Hasson's message of Tue, 22 Jul 1997 14:52:53 -0700,<199707222152.OAA03654@feller.mentat.com>
Sender: owner-ipsec@ex.tis.com

Ted,

	The reference to the implicit IV DES CBC mode as THE required
encryption algoroithm is merely a carry forward from previous drafts,
updated to refer to Bill's current I-D.  Nobody objected to this reference
in previous drafts (March 27 and May 30), but it certainly can be changed.
I hate to jump into this argument but ...

	If authentication is employed with this encryption mode, as is the
required default for ESP, then I personally prefer an explicit (pseudo)
random IV, of 64 bits.  As Steve Bellovin has pointed out, such
authentication is adequate protection against the ability to modify the
first block of the plaintext, and the entropy provide by the 64 bit
explicit IV (which may have some implications for confidentiality) is
consistent with DES FIPS guidelines.  I believe FIPS 81 actually calls for
integrity protecting a 64-bit (pseudo) random IV (through the use of ECB
mode encryption) for CBC mode, but that is obviated by our use of a strong
authentication mechanism of the sort we require (as a default).  Also note
that use of a smaller effectuve IV motivates rekeying an SA sooner than
might otherwise be needed (compared to a 64-bit IV in which all bits were
independent).

	So, from a pure confidentiality perspective, I think one might
argue that an explicit, 64 bit, (pseudo) random IV is preferable.  We
address authentication/integrity concerns separately with the MAC, or with
use of AH, so I would not bring such concerns into this discussion.  I view
implicit IV approaches as motivated primarily by a desire to save space in
the header, and I don't challenge that motivation.  The WG must decide on a
default, MUST implement encryption algorithm and mode and that decision
will weight space efficiency, confidentiality effectiveness, rekey
frequency, and existing implementations in some fashion.  This is a fairly
complex set of factors to consider, so I don't assume it will be an easily
objectifiable (did I really type that word?) decision.

Steve

References:

Re: New draft -- IPSEC ESP

From: mark@mentat.com (Marc Hasson)

Re: New draft -- IPSEC ESP

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: Re: HMAC-MD5 test vectors?
Next by Date: Re: HMAC-MD5 test vectors?
Prev by thread: Re: New draft -- IPSEC ESP
Next by thread: I-D ACTION:draft-ietf-ipsec-ciph-3des-expiv-00.txt
Index(es):
- Main
- Thread