In message <FD4B13C8-B830-11D7-9CD6-00039388672E@muada.com>, Iljitsch van Beijn um writes: > >Interesting aspect: it should be possible to make this work with IPsec >encryption but not authentication, but not so well with ciphers in CBC >mode. A stream cipher would be better here. > > Here is the Security Considerations text that Gorry Fairhurst has inserted into draft-ietf-tsvwg-udp-lite-01.txt to satisfy my DISCUSS: --- Security Considerations The security impact of UDP-Lite is related to its interaction with authentication and encryption mechanisms. When the partial checksum option of UDP-Lite is enabled, the insensitive portion of a packet may change in transit. This is contrary to the idea behind most authentication mechanisms: authentication succeeds if the packet has not changed in transit. Unless authentication mechanisms that operate only on the sensitive part of packets are developed and used, authentication will always fail for UDP-Lite packets where the insensitive part has been damaged. The IPSec integrity check (Encapsulation Security Protocol, ESP, or Authentication Header, AH) is applied (at least) to the entire IP packet payload. Corruption of any bit within the protected area will then result in discarding the UDP-Lite packet by the IP receiver. Encryption (e.g. IPSEC ESP with payload, but no integrity check) may be used. Note that omitting an integrity check can, under certain circumstances, compromise confidentiality [Bell98]. If a few bits of an encrypted packet are damaged, the decryption transform will typically spread errors so that the packet becomes too damaged to be of use. Many encryption transforms today exhibit this behavior. There exist encryption transforms, stream ciphers, which do not cause error propagation. Proper use of stream ciphers can be quite difficult, especially when authentication-checking is omitted [BB01]. In particular, an attacker can cause predictable changes to the ultimate plaintext, even without being able to decrypt the ciphertext. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)