Re: [mobile-ip] Re: replacing IPsec's replay protection?

[Alex Alten <Alten@attbi.com>]

At 07:45 PM 4/7/2002 -0400, Paul Koning wrote:
>Insulting people is not a good way to convince others that your ideas
>are worth listening to, especially if you don't have any justification
>for your comments.
>

My apologies Paul. I was a little impatient with you. Unfortunately
I don't have the time for laborous justification of my comments.  Each
one of my sentences reflects hard won knowledge and experience, I would
hope you will not take them lightly.

>Yes, unnecessary complexity is the enemy of security.  But necessary
>complexity is how you get security.

You sound wonderfully Delphic. I agree with you in principle.  The
problem is following this in practice, especially with the group of
smart, opinionated people found in this WG.

> Since you mentioned ECB, I wonder
>if you are aware of the reasons why ECB is NEVER used for any network
>security protocol.  There are good reasons why it isn't, and it helps
>to know what they are.

Never say NEVER.  Yes, I'm perfectly aware of the dangers.  But to be
fair the other side of the coin is rarely heard. ECB can be much faster
than CBC, by computing multiple blocks in parallel and by avoiding the
memory move of the extra XOR. Complexity is reduced by getting rid of
synchronizing the IV between sender and receiver, and because packet
re-ordering is no longer an issue. These are the engineering vs security
tradeoffs one has to consider while designing a system.

As an example, if your commercial customers wanted to do *only* simple
privacy for a SANS then a simple AES-ECB encryption of the IO blocks is
a really nice way to go.

- Alex

--

Alex Alten
Alten@ATTBI.com