Hi,
I have some comments regarding the draft.
First, it is not absolutely clear from the draft how
the IV is generated for each packet. I presume
that the IVs are taken sequentially for every new
ESP packet to send from the bit string generated
by prf+. But then it is not clear for me how the receiver
would regenerate the same IV in case of packets loss
and reordering. Sending LSB of IV would help here a bit,
but then receiver would do quite a lot of work to guess
the right IV, the overall process is not deterministic
and opens a possibility for simple DoS attack.
The receiver would also look at the sequence number to
deal with packets loss and reordering, but as far as
I understnad the SN is optional in Diet-ESP.
Then, I'm not a crypto expert, but using the same
key for both encryption and IV generation looks
like a bit unsound.
Finally, I would prefer defining new transorms
(for example AES-CBC with implicit IV) instead of
negotiating IV compression separately.
Regards,
Valery Smyslov.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec