response not sent to the list

Joe,

The short form summary of your message is:

	- you believe that rate limiting should be effected via weak 
integrity algorithms and use of sequence numbers, vs. a separate 
mechanism that decouples integrity from crypto-based rate limiting. 
you provide no good analysis of why this should be true.

	- you characterized MD5 as "crackable" in protocols such as 
ESP & AH, but MD5 is used there in the HMAC construct, so your 
characterization seems an exaggeration, at best.

	- you believe routers really should implement IPsec on line 
cards, even though this is not generally viewed as an appropriate 
security mechanism for subscriber traffic protection by most folks 
(except, perhaps, if the router is functioning as an SG for an 
enterprise), and it is clearly an unduly expensive implementation 
strategy for protecting router management traffic.

	- you believe that the AH or ESP format should be reused for 
rate limiting, which implies a minimum of an 8 byte overhead in 
addition to the cookie/tag/ICV. this is about double the overhead 
that would be required for a rate limiting scheme of the sort I 
suggested.

	- you appear to believe that devices used as VPN endpoints 
will be the same as border routers, although product design criteria 
would suggest otherwise.

I could go on, but as I said before, this is probably not a good use 
of anyone's time.

Steve
_______________________________________________