In message <FD4B13C8-B830-11D7-9CD6-00039388672E(_at_)muada(_dot_)com>,
Iljitsch van Beijn
um writes:
Interesting aspect: it should be possible to make this work with IPsec
encryption but not authentication, but not so well with ciphers in CBC
mode. A stream cipher would be better here.
Here is the Security Considerations text that Gorry Fairhurst has
inserted into draft-ietf-tsvwg-udp-lite-01.txt to satisfy my DISCUSS:
---
Security Considerations
The security impact of UDP-Lite is related to its interaction with
authentication and encryption mechanisms. When the partial checksum option
of UDP-Lite is enabled, the insensitive portion of a packet may change in
transit. This is contrary to the idea behind most authentication mechanisms:
authentication succeeds if the packet has not changed in transit. Unless
authentication mechanisms that operate only on the sensitive part of packets
are developed and used, authentication will always fail for UDP-Lite packets
where the insensitive part has been damaged.
The IPSec integrity check (Encapsulation Security Protocol, ESP, or
Authentication Header, AH) is applied (at least) to the entire IP packet
payload. Corruption of any bit within the protected area will then result in
discarding the UDP-Lite packet by the IP receiver.
Encryption (e.g. IPSEC ESP with payload, but no integrity check)
may be used. Note that omitting an integrity check can, under
certain circumstances, compromise confidentiality [Bell98].
If a few bits of an encrypted packet are damaged, the decryption
transform will typically spread errors so that the packet becomes
too damaged to be of use. Many encryption transforms today exhibit
this behavior. There exist encryption transforms, stream ciphers,
which do not cause error propagation. Proper use of stream ciphers
can be quite difficult, especially when authentication-checking is
omitted [BB01]. In particular, an attacker can cause predictable
changes to the ultimate plaintext, even without being able to
decrypt the ciphertext.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)