Re: [mobile-ip] Re: replacing IPsec's replay protection?

[Paul Koning <pkoning@equallogic.com>]

Excerpt of message (sent 8 April 2002) by Alex Alten:
> At 07:45 PM 4/7/2002 -0400, Paul Koning wrote:
> > Since you mentioned ECB, I wonder
> >if you are aware of the reasons why ECB is NEVER used for any network
> >security protocol.  There are good reasons why it isn't, and it helps
> >to know what they are.
> 
> Never say NEVER.  Yes, I'm perfectly aware of the dangers.  But to be
> fair the other side of the coin is rarely heard. ECB can be much faster
> than CBC, by computing multiple blocks in parallel and by avoiding the
> memory move of the extra XOR. Complexity is reduced by getting rid of
> synchronizing the IV between sender and receiver, and because packet
> re-ordering is no longer an issue. These are the engineering vs security
> tradeoffs one has to consider while designing a system.

IPsec uses explicit IV, there is NO synchronization of IV between
sender and receiver.  Nor is there any issue of packet reordering.
You may be confused with SSL.

As for the performance cost of CBC: in software, the cost is one load
instruction per packet (for the IV) and one XOR instruction per 8
bytes.  There is no extra memory move.

In hardware, CBC forces serialization of the block processing within a
packet.  That can limit your ultimate performance (though there are
chips available that will do single stream CBC at well above 1 Gb/s).
But that doesn't limit your performance in practice, certainly not for
multiple SAs, and not even for a single SA when there are multiple
packets to process if you do a bit more work (as I did in an
implementation of IPsec a few years ago).

Finally, if you're interested in a mode that doesn't have the
serialization properties of CBC and also avoids the security defects
of ECB, take a look at counter mode, currently an I-D.

     paul