[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Generation of IV for ESP

To: "Amol Deshmukh" <adeshmukh@pace.stpp.soft.net>
Subject: Re: Generation of IV for ESP
From: Stephen Kent <kent@bbn.com>
Date: Fri, 18 Jan 2002 23:26:22 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <00b201c1a04a$9353a0c0$af64a8c0@pace.stpp.soft.net>
References: <00b201c1a04a$9353a0c0$af64a8c0@pace.stpp.soft.net>
Sender: owner-ipsec@lists.tislabs.com

At 11:34 PM +0530 1/18/02, Amol Deshmukh wrote:
>Hi,
>
>I had a question about the generation of IV for ESP mode.
>
>I have come across following Situations in the various
>IPsec Implementations:
>1) Implicit IV is used by generating it at the
>respective peers by use of SEQ_ID.i.e
>            IV[0-3] = Seq-id;
>            IV[4-7] = ~Seq-id;
>
>Which is the most standard way to use in Implicit IV
>case? Or How is the IV generated so that there are
>no interoperatibility issues with different IPsec
>implementations?
>     Will the using of sequence ID for generation of IV
>solve this issue?
>
>I would be thankful if you could help me with the
>above query.
>

To use an implicit IV, one should negotiate a crypto algorithm and 
mode that is defined to use such an IV.  The RFC defining such a mode 
will specify how to construct the IV.  Note that the default crypto 
modes defined for IPsec do not use an implicit IV, and there have 
been recommendations to not use an IV of the sort you describe, since 
it represents a small IV space.

Steve

Follow-Ups:
- Options field in Outer IP Header
  - From: "Amol Deshmukh" <adeshmukh@pace.stpp.soft.net>

References:
- Generation of IV for ESP
  - From: "Amol Deshmukh" <adeshmukh@pace.stpp.soft.net>

Prev by Date: Re: Minutes for the SLC IPSEC meeting
Next by Date: Problem with GRE TUNNELS and using IPSEC encryptor
Prev by thread: Generation of IV for ESP
Next by thread: Options field in Outer IP Header
Index(es):
- Date
- Thread