[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Paul,
> >>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
>
> Chris> It does reinforce the advantages of authentication in ESP. I
> Chris> don't know if I've come to the point of assuming ESP
> Chris> authentication is pretty much essential through this group or
> Chris> though discussions with customers, but what do others think?
>
>I've been convinced by Steve Bellovin's papers that it is essential.
>Unfortunately, we're not currently allowed to reject ESP with null
>authenticaton. As far as I'm concerned, that's a bug, but
>unfortunately some feel differently. We're definitely telling people
>in documentation not to skip authentication.
>
>Both in software and hardware, there is no performance justification
>for omitting authentication.
I think the technical term here is "wrong" :-). In software
implementations, performing authentication on ESP packets adds delay
and may become a throughput limiting factor, assuming serial
processing. In all systems it adds bytes that must be transmitted.
In an era where our wireless friends are pushing for certificate
lite, and people are hacking TCP at intermediate points to improve
performance, the extra 12 bytes of authentication data may be the
proverbial straw in some instances. Thus it is appropriate to not
mandate use of authentication in ESP in all circumstances.
Steve
Follow-Ups:
References: