On 01/05/2007 10:53 AM, Paul Hoffman wrote:

> You could take an IPsec stack and repurpose it down one layer in the
> stack. At least that way you'll know the security properties of what you
> create.

That is a Good Idea that can be used in a wide range of
situations.  Here is some additional detail:

This can be understood as follows:  Half of IPsec "tunnel
mode" can be described as IPIP encapsulation layered on
top of "transport mode" which does the encryption and
arranges for transport of the encrypted packets.

   The other half of IPsec is the SPDB, which is an
   important part of IPsec but is often underappreciated
   by non-experts.

So ... one obvious way forward is to do what might be
called L2sec (layer 2 security) in analogy to IPsec.
That is, do layer-2-in-IP encapsulation using GRE or
the like, and then layer that on top of IPsec transport

  Then you make some straightforward tweaks to the
  SPDB and you've something pretty nice.  As PH
  said, the security properties will be well known.

This may sound like overkill, but it is likely to be
/easier/ than anything else you can think of (not to
mention more secure and more richly featured).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to