[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Byte-count lifetime enforcement?

To: ipsec@tis.com
Subject: Re: Byte-count lifetime enforcement?
From: Charles Lynn <clynn@bbn.com>
Date: Tue, 30 Jun 98 22:47:41 EDT
cc: Dan McDonald <danmcd@Eng.Sun.Com>, "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>, CLynn@bbn.com
Sender: owner-ipsec@ex.tis.com

Folks,

I mentioned to Steve Kent that using as the byte count the "IP
payload, prior to adding the ESP header and trailer" seems to
imply one particular implementation, and that folks might not be
implementing things that way.  The manner that input processing
is implemented might also make it unlikely that the suggested
number would be readily available.

I suspect that a number that would be available in implementations is
the number of bytes fed to the algorithm.  (If both ends do not agree
on that number, the packet had better be discarded.  :-) Steve agreed
with the reasoning, but pointed out, as has Dan, that the text does
not specify which algorithm should be used for ESP.  Dan suggests the
primary algorithm: encryption for ESP, and authentication for AH.

How do folks feel about adding Dan's clarification to the Architecture
document?

(Note that since it is a "SHOULD", there is no reason to delay any
products; those using some other count may change their code when
convenient.  As Angelos pointed out, things should be designed to
work no matter which end is the first to exhaust its count.)

Charlie

Prev by Date: RE: ID payload in wrong msg? (was RE: More questions on ID types)
Next by Date: Re: Byte-count lifetime enforcement?
Prev by thread: RE: Byte-count lifetime enforcement?
Next by thread: Re: Byte-count lifetime enforcement?
Index(es):
- Main
- Thread