[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

To: "Waterhouse, Richard" <Richard.Waterhouse@GDC4S.Com>
Subject: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 26 Aug 2002 11:21:58 -0400 (EDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <2575327B6755D211A0E100805F9FF9540E345969@ndhmex02.ndhm.gsc.gte.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 26 Aug 2002, Waterhouse, Richard wrote:
> ...applications that need to run in such environments have to do FEC/CRC
> end-to-end. And they can't do it if the data carried in the packets is
> discarded, and not passed up, because of an ESP level authentication
> function.

Then the right thing to do is to do encryption and authentication end-to-end
as well, *above* the error-correction layer.

> > By the way, the reason for making authentication a MUST is that there are
> > effective active attacks against confidentiality without it.  You don't
> > *get* reliable confidentiality without authentication. 
> > 
> >>> This should be a security policy issue to be negotiated.  If I have other
> mechanisms at higher layers that can compensate...

How do mechanisms at higher layers "compensate" for easily-breakable
encryption?  I can't make any sense of this; can you elaborate? 

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "Waterhouse, Richard" <Richard.Waterhouse@GDC4S.Com>

Prev by Date: Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by Date: Re: Avoiding tricking IKE v2 nodes into talking v1
Prev by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by thread: Son of Ike status
Index(es):
- Date
- Thread