[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ottawa bakeoff feedback] problem with ESP Padding
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Rodney" == Rodney Thayer <rodney@sabletech.com> writes:
Rodney> This will of course break all the ESP implementations that
Rodney> support the current draft. Note that you can build in
Rodney> backwards compatability by implementing this:
Rodney> if pad length > 1 then if pad length byte is the same as
Rodney> the previous byte then implement previous pad algorithm
Rodney> i.e. pad_length++;
In testing between SSH and FreeSWAN, we found it had to be:
if(pad_length == 0 ||
(pad_length > 1 && pad_length == previous byte)) {
pad_length++;
}
One can, in theory, use this as a sign to send the esp-v2-00 ESP,
but we realized that in practice, at this level of the stack, one doesn't
know where the corresponding outgoing SA is (or if there is one).
If we can make the decision here in Ottawa, then we could test
things tomorrow.
] At the AIAG/ANX IPsec interoperability workshop | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNCluYMmxxiPyUBAxAQGj1AL/SuD+KcwAvTQ8S14DVF+lvl57r+0roanK
5qUJKIJpXU5L1gG1f6I/Q4hmyb9uUcVDS6g0jeWSHLfeyUEEyfEVuF9qLUSEpYQh
lEPtyUeNkopu0YY9e/xo7dOW8+jTtvzq
=4Boo
-----END PGP SIGNATURE-----
References: