Re: Calling the question: derived vs. explicit IV

[Norman Shulman <norm@tor.securecomputing.com>]

On Fri, 1 Aug 1997, Theodore Y. Ts'o wrote:

>    Date: Fri, 1 Aug 97 14:32:52 GMT
>    From: "William Allen Simpson" <wsimpson@greendragon.com>
> 
>    In favor of Derived:
> 
>     2) Maintains complete backward compatibility with RFCs 1829 and 1851.
>        All shipping implementations already support the derived IV.
> 
> Not true.  It is not _complete_ backwards compatibility.  RFC 1829
> support's no IV, 32-bit IV, and 64-bit IV.  The compatibility you
> propose only works using RFC 1829-style 32-bit IV.  
> 
> In addition the handling of sequence number wrapping means that there is
> yet another compatibility issue.  This can be solved having the ESP
> engine know something about whether the key management was manually done
> or not.  However, that's an abstraction violation, and it certainly adds
> to the complexity of the implementation simply to have this
> "compatibility".

Using the current ESP draft in compatibility mode requires disabling the
authentication service. When the authentication service is disabled, the draft
requires disabling sequence number verification.

Norm


                    Norman Shulman      Secure Computing Canada
     	         Systems Developer      Tel 1 416 813 2075
      norm@tor.securecomputing.com      Fax 1 416 813 2001

---

Follow-Ups:

• Re: Calling the question: derived vs. explicit IV
• From: Stephen Kent <kent@bbn.com>

References:

• Re: Calling the question: derived vs. explicit IV
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Proposed IPsec interop workshop
• Next by Date: Re: Calling the question: derived vs. explicit IV
• Prev by thread: Re: Calling the question: derived vs. explicit IV
• Next by thread: Re: Calling the question: derived vs. explicit IV
• Index(es):
  • Main
  • Thread