On 01/05/2007 10:53 AM, Paul Hoffman wrote:
You could take an IPsec stack and repurpose it down one layer in the
stack. At least that way you'll know the security properties of what you
That is a Good Idea that can be used in a wide range of
situations. Here is some additional detail:
This can be understood as follows: Half of IPsec tunnel
mode can be described as IPIP encapsulation layered on
top of transport mode which does the encryption and
arranges for transport of the encrypted packets.
The other half of IPsec is the SPDB, which is an
important part of IPsec but is often underappreciated
So ... one obvious way forward is to do what might be
called L2sec (layer 2 security) in analogy to IPsec.
That is, do layer-2-in-IP encapsulation using GRE or
the like, and then layer that on top of IPsec transport
Then you make some straightforward tweaks to the
SPDB and you've something pretty nice. As PH
said, the security properties will be well known.
This may sound like overkill, but it is likely to be
/easier/ than anything else you can think of (not to
mention more secure and more richly featured).
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]