From: Dawid Ciezarkiewicz <dpc@asn.pl>
To: "Stephen J. Bevan" <stephen@dino.dnsalias.com>
Cc: netdev@vger.kernel.org
Subject: Re: [RFC] Ethernet Cheap Cryptography
Date: Fri, 20 Oct 2006 21:50:00 +0200 [thread overview]
Message-ID: <200610202150.00999.dpc@asn.pl> (raw)
In-Reply-To: <17718.63424.509719.492216@localhost.localdomain>
On Thursday, 19 October 2006 05:57, Stephen J. Bevan wrote:
> And if the packets come out of order i.e. you get a packet with a new
> key followed by a packet with the old key?
As IV from invalid frames are saved ccrypt will synchronize anyway, but I was
wrong in one aspect - in current implementation each reorder will cost two
frames, not one. This could be possibly reduced to only one, but I must find
a time to investigate that more.
> If the keying is done manually an attacker won't know when the keys
> are changed. However, if keying is coordinated over the same link via
> a protocol (as is done with IKE for IPsec) then the attacker can see
> (or at least guess) the packets carrying the keying protcol thus know
> re-keying is going to occur.
Simple random delay should do the trick.
> For completness there are also switches that :-
>
> * take notice of the TOS/DiffServ bits in an IP header and will
> re-order based on them
Looks like a good reason to change frame type field so it does not look like
IP packet.
> * will re-order frames due to redundancy, load-balancing,
> spanning-tree changes ... etc.
In summary - using ccrypt with switches may lead to problems.
prev parent reply other threads:[~2006-10-20 19:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-15 16:20 [RFC] Ethernet Cheap Cryptography Dawid Ciezarkiewicz
2006-10-15 21:35 ` James Morris
2006-10-15 22:15 ` Dawid Ciezarkiewicz
2006-10-18 3:21 ` Stephen J. Bevan
2006-10-18 3:25 ` David Miller
2006-10-18 9:51 ` Dawid Ciezarkiewicz
2006-10-18 10:16 ` David Miller
2006-10-18 11:35 ` Dawid Ciezarkiewicz
2006-10-18 9:15 ` Dawid Ciezarkiewicz
2006-10-18 14:31 ` Dawid Ciezarkiewicz
2006-10-19 3:57 ` Stephen J. Bevan
2006-10-19 15:58 ` Pawel Foremski
2006-10-20 2:18 ` Stephen J. Bevan
2006-10-20 2:59 ` David Miller
2006-10-21 2:17 ` Stephen J. Bevan
2006-10-21 2:20 ` David Miller
2006-10-20 20:18 ` Pawel Foremski
2006-10-21 1:58 ` Stephen J. Bevan
2006-10-21 2:28 ` Stephen Hemminger
2006-10-21 15:33 ` Pawel Foremski
2006-10-21 15:12 ` Pawel Foremski
2006-10-22 0:05 ` Stephen J. Bevan
2006-10-20 19:50 ` Dawid Ciezarkiewicz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200610202150.00999.dpc@asn.pl \
--to=dpc@asn.pl \
--cc=netdev@vger.kernel.org \
--cc=stephen@dino.dnsalias.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.