[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sequence numbers and IVs

To: ipsec@tis.com
Subject: Sequence numbers and IVs
From: Stephen Kent <kent@bbn.com>
Date: Fri, 25 Jul 1997 08:09:09 -0400
In-Reply-To: <6325.wsimpson@greendragon.com>
Sender: owner-ipsec@ex.tis.com

Folks,

One more thought on the issue of using the ESP sequence number field as an
IV.  I note that Bill's I-D calls for the sequence number field to be
initialized differently depending on whether key management is manual or
automated.  In the former case the initial value is random, while in the
latter case it is zero. Although not explicitly stated, I assume the
difference is motivated by a desire to not trivially reuse the same IV
space with the same key, even though such reuse may well occur anyway if
the manual key is not changed frequently or if the traffic volume is
siginficant.  This difference also requires the sequence number wrap around
logic to differ for each case (although one could maintain a
zero-initialized, shadow counter in the random IV case to avoid the need to
do modular arithmetic comparisons to detect overflow). Still, this is an
example of increased system design complexity that results from reusing the
sequence number field for an IV. I'm not saying that this ought to be
considered a show stopper per se, but many have argued on this list for
avoiding just this sort of added complexity, e.g., in deciding not to
support an authentication-only mode for ESP.

Steve

References:

replay and insecure security implementations

From: "William Allen Simpson" <wsimpson@greendragon.com>

Prev by Date: replay and insecure security implementations
Next by Date: I-D ACTION:draft-simpson-ipsec-cbcs-00.txt
Prev by thread: replay and insecure security implementations
Next by thread: Re: replay and insecure security implementations
Index(es):
- Main
- Thread