Re: comments on draft-ietf-ipsec-new-esp-00
Steven Bellovin <smb@research.att.com> Sat, 05 April 1997 20:03 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA19032 for ipsec-outgoing; Sat, 5 Apr 1997 15:03:28 -0500 (EST)
Message-Id: <199704052007.PAA03116@raptor.research.att.com>
To: Stephen Kent <kent@bbn.com>
cc: adams@cisco.com, ipsec@tis.com
Subject: Re: comments on draft-ietf-ipsec-new-esp-00
Date: Sat, 05 Apr 1997 15:07:09 -0500
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> >The draft should probably state that the IV should always be a multiple of > >32 bits. > >Or require multiples of 64 for IPv6. > > > Well, this is really an algorithm independence issue. We don't get to pick > IV lengths; they are defined by the algorithms. However, we can require > this field to be a multiple of 32 bits and note that if the real IV does > not conform to this requiremend, then the algorithm spec will describe how > padding is performed. No -- your first instinct is right. The <IV,ciphertext> pair is opaque to any level above the decryption routine; thus, higher-level routines can neither known nor care if one is present. At most, the existence of one is a parameter to be passed from the key negotiation layer straight through to the encryption/decryption layer. Let me give a concrete example. In, say, DES-CBC, the IV can be seen as the first block of ciphertext; it's decrypted with any IV whatsoever. The only difference is that the first block of the resulting plaintext -- that is, the plaintext that comes from the (conceptual) decryption of the IV -- is discarded. Seen this way, the difference between the IV and some other portion of the ciphertext is irrelevant. We can carry this further by assuming a block cipher with an 80-bit block size, and hence 80-bit IV. Why would we want to pad the IV? Again, it's just part of the input to the decryption engine. Decisions on the format of the <IV,ciphertext-blocks> field belong in the RFCs describing individual transforms. Those documents can and should consider block alignment and efficiency considerations for likely implementation techniques.
- comments on draft-ietf-ipsec-new-esp-00 Rob Adams
- Re: comments on draft-ietf-ipsec-new-esp-00 Stephen Kent
- Re: comments on draft-ietf-ipsec-new-esp-00 Steven Bellovin