Daniel,
I read the very brief IV-generation I-D and I didn't see an explanation
of how
to perform IV "compression." As someone else already noted on the list,
an IV
is carried with each packet to enable decryption of packets that may
arrive out
of order. Thus it's not enough to have each peer use the same PRF and
seed to
generate IVs which are not explicitly transported, because of this
requirement.
Also, if the IV is required to be pesudorandom, there is likely no
opportunity
for compression in the usual sense. Finally, note that the specs for
algorithm
modes like GCM treat the IV as a security critical piece of info, for
good reason.
Thus if one tries to re-use a value such as an ESP sequence number as an
IV, all of
the ESP sequence number generation/management code becomes security
critical wrt
algorithm mode evaluation. This topic was discussed in London in the TLS
WG meeting,
when considering use of Cha-Cha. I can forward the relevant messages and
my slides
if you wish.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
