[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [mobile-ip] Re: replacing IPsec's replay protection?



At 08:58 AM 4/8/2002 -0400, Paul Koning wrote:
>Excerpt of message (sent 8 April 2002) by Alex Alten:
>> At 07:45 PM 4/7/2002 -0400, Paul Koning wrote:
>> > Since you mentioned ECB, I wonder
>> >if you are aware of the reasons why ECB is NEVER used for any network
>> >security protocol.  There are good reasons why it isn't, and it helps
>> >to know what they are.
>> 
>> Never say NEVER.  Yes, I'm perfectly aware of the dangers.  But to be
>> fair the other side of the coin is rarely heard. ECB can be much faster
>> than CBC, by computing multiple blocks in parallel and by avoiding the
>> memory move of the extra XOR. Complexity is reduced by getting rid of
>> synchronizing the IV between sender and receiver, and because packet
>> re-ordering is no longer an issue. These are the engineering vs security
>> tradeoffs one has to consider while designing a system.
>
>IPsec uses explicit IV, there is NO synchronization of IV between
>sender and receiver.  Nor is there any issue of packet reordering.
>You may be confused with SSL.
>

Actually not, I was speaking more generally than IPsec.  All IV's
require some sort of coordination even if it is a simple logic.

>As for the performance cost of CBC: in software, the cost is one load
>instruction per packet (for the IV) and one XOR instruction per 8
>bytes.  There is no extra memory move.
>

These two sentences contradict each other, I agree with the first one.

>In hardware, CBC forces serialization of the block processing within a
>packet.  That can limit your ultimate performance (though there are
>chips available that will do single stream CBC at well above 1 Gb/s).
>But that doesn't limit your performance in practice, certainly not for
>multiple SAs, and not even for a single SA when there are multiple
>packets to process if you do a bit more work (as I did in an
>implementation of IPsec a few years ago).
>

These are true enough.  However to date probably not more than 5% of
the hosts have hardware acceleration available to them.  Unfortunately,
these pipeling techniques will not work when fragmentation reorders the
pieces of an incoming packet.

>Finally, if you're interested in a mode that doesn't have the
>serialization properties of CBC and also avoids the security defects
>of ECB, take a look at counter mode, currently an I-D.
>

Thanks, I'll take a look at it.

- Alex
--

Alex Alten
Alten@ATTBI.com