[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Paul,
I guess we must simply disagree. I too hate to see shortsighted
tradeoffs, but the world is full of them, and out standards
environment has many examples. I might agree that the extra
bandwidth devoted to the integrity is not too awful, and I agree that
suitable hardware can parallel process the authentication data and
not make it a bottleneck. However, the Internet (and the IETF) has a
long history of favoring software over hardware when it comes to
these tradeoffs, and I'm not in favor of making IPsec the exception
in this instance. Also, I see very little evidence that the optional
use of the authentication feature of ESP adds significant complexity
to the protocol, since many (most?) folks agree that having an
authentication-only mode for ESP is a good idea.
Steve
Follow-Ups:
References: