Paul Wouters <[email protected]> wrote: > Choices like that make me nervous that an attacker can tweak the padding > option. Who knows what oracle that can become in the future. There MUST > only be one way to do things. So I would rather see:
> The sender MUST NOT include padding and set the Pad Length field to
> zero. The receiver MUST reject a non-zero Pad Length field.
No, the sender should be able to add as much padding as they want whenever
they want. And "reject" is the wrong operation (that implies an ICMP or
other messages). If you want to say something, the correct operation is
ignore (=silently drop).
If the attacker can tweak the padding, they must be inside of the sender,
IPsec has the padding inside the encryption and authentication, unlike some
other algorithms.
This is necessary to defeat traffic analysis where one looks at timing of
very short packets (which might be keystrokes).
It also lets the sender send a NH=0 chaff packet with a bunch of padding so
that it looks like a real data.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
