From: Dawid Ciezarkiewicz <dpc@asn.pl>
To: "Stephen J. Bevan" <stephen@dino.dnsalias.com>
Cc: netdev@vger.kernel.org
Subject: Re: [RFC] Ethernet Cheap Cryptography
Date: Fri, 20 Oct 2006 21:50:00 +0200 [thread overview]
Message-ID: <200610202150.00999.dpc@asn.pl> (raw)
In-Reply-To: <17718.63424.509719.492216@localhost.localdomain>
On Thursday, 19 October 2006 05:57, Stephen J. Bevan wrote:
> And if the packets come out of order i.e. you get a packet with a new
> key followed by a packet with the old key?
As IV from invalid frames are saved ccrypt will synchronize anyway, but I was
wrong in one aspect - in current implementation each reorder will cost two
frames, not one. This could be possibly reduced to only one, but I must find
a time to investigate that more.
> If the keying is done manually an attacker won't know when the keys
> are changed. However, if keying is coordinated over the same link via
> a protocol (as is done with IKE for IPsec) then the attacker can see
> (or at least guess) the packets carrying the keying protcol thus know
> re-keying is going to occur.
Simple random delay should do the trick.
> For completness there are also switches that :-
>
> * take notice of the TOS/DiffServ bits in an IP header and will
> re-order based on them
Looks like a good reason to change frame type field so it does not look like
IP packet.
> * will re-order frames due to redundancy, load-balancing,
> spanning-tree changes ... etc.
In summary - using ccrypt with switches may lead to problems.
prev parent reply other threads:[~2006-10-20 19:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-15 16:20 [RFC] Ethernet Cheap Cryptography Dawid Ciezarkiewicz
2006-10-15 21:35 ` James Morris
2006-10-15 22:15 ` Dawid Ciezarkiewicz
2006-10-18 3:21 ` Stephen J. Bevan
2006-10-18 3:25 ` David Miller
2006-10-18 9:51 ` Dawid Ciezarkiewicz
2006-10-18 10:16 ` David Miller
2006-10-18 11:35 ` Dawid Ciezarkiewicz
2006-10-18 9:15 ` Dawid Ciezarkiewicz
2006-10-18 14:31 ` Dawid Ciezarkiewicz
2006-10-19 3:57 ` Stephen J. Bevan
2006-10-19 15:58 ` Pawel Foremski
2006-10-20 2:18 ` Stephen J. Bevan
2006-10-20 2:59 ` David Miller
2006-10-21 2:17 ` Stephen J. Bevan
2006-10-21 2:20 ` David Miller
2006-10-20 20:18 ` Pawel Foremski
2006-10-21 1:58 ` Stephen J. Bevan
2006-10-21 2:28 ` Stephen Hemminger
2006-10-21 15:33 ` Pawel Foremski
2006-10-21 15:12 ` Pawel Foremski
2006-10-22 0:05 ` Stephen J. Bevan
2006-10-20 19:50 ` Dawid Ciezarkiewicz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200610202150.00999.dpc@asn.pl \
--to=dpc@asn.pl \
--cc=netdev@vger.kernel.org \
--cc=stephen@dino.dnsalias.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).