IETF Logo Mail Archive

Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

David McGrew <mcgrew@cisco.com> Fri, 05 July 2013 22:16 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9185D21F9FDB for <cfrg@ietfa.amsl.com>; Fri, 5 Jul 2013 15:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.224
X-Spam-Level:
X-Spam-Status: No, score=-110.224 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbZFcypK4iX1 for <cfrg@ietfa.amsl.com>; Fri, 5 Jul 2013 15:16:28 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id F22E921F9E43 for <cfrg@irtf.org>; Fri, 5 Jul 2013 15:16:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1744; q=dns/txt; s=iport; t=1373062588; x=1374272188; h=message-id:subject:from:to:cc:date:in-reply-to: references:mime-version:content-transfer-encoding; bh=fPKfDFjX8n9rL87HeN+lLLxfrF+oZVVdK4YrjCGepvg=; b=R2gMrhEYfgParIwNzZ4CsU80483ffpUXrhReqvXh7t6y/ft0LA6iqix3 veElh8rqvqtltq41aYG/xN1S9DdRsVJB0YyOkAh/irvil1PXe9FHhfA9k fKtDH76XN6qTsWd0gqtRRD7VzeS4KWWTcviBwqA6LW5L0tHtJIPe9l4L1 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgkFADNF11GtJV2a/2dsb2JhbABagwkzg1C9SYECFnSCIwEBAQQjSQ0QCw4KAgImAgJXBhOID6dskQeBJo5FB4JRgRwDnWqLJIMtIA
X-IronPort-AV: E=Sophos;i="4.87,1004,1363132800"; d="scan'208";a="231542459"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP; 05 Jul 2013 22:16:00 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8912.cisco.com [10.117.10.227]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r65MFxDm002080 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 5 Jul 2013 22:16:00 GMT
Message-ID: <1373062559.3983.471.camel@darkstar>
From: David McGrew <mcgrew@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>
Date: Fri, 05 Jul 2013 18:15:59 -0400
In-Reply-To: <951F544D-382E-4743-955F-4C8F1880F443@checkpoint.com>
References: <1372775511.3983.76.camel@darkstar> <30837097-4DB3-495C-86F4-42C76B634864@checkpoint.com> <ECC9C873-595E-42E9-B18C-5DB52F3A0DCE@vpnc.org> <D3B1C8DB-3411-4684-A13F-D252BF67CE5F@checkpoint.com> <5A32D67C-0EAD-4A93-805C-DCA134553279@vpnc.org> <A574FAAC-03C8-4E04-9827-131A114B755B@checkpoint.com> <BEC9EE61-2B4B-45D3-BED2-45688F34FF29@ll.mit.edu> <951F544D-382E-4743-955F-4C8F1880F443@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: cfrg <cfrg@irtf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 22:16:33 -0000

Hi Yoav,

On Tue, 2013-07-02 at 20:31 +0000, Yoav Nir wrote:
> On Jul 2, 2013, at 11:01 PM, "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> wrote:
> > 
> > 
> >>>>>> - I'm not sure about AES-GMAC for ESP authentication. Is there
> a reason why someone would prefer to use AES-CBC or AES-CTR with
> AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has
> gained popularity recently (meaning that a lot of customers are asking
> for it). It runs significantly slower than HMAC-SHA1, but people have
> stopped reading at "SHA-1 is no longer secure". Still, they're not
> asking for GMAC, they're asking for SHA-256. So I think a document
> where the goal is interoperability should focus on what is becoming
> the de-facto standard as long as it's secure enough.
> >>>>> 
> >>>>> Having the document list the rationale for using GMAC instead of
> an HMAC would indeed be good.
> >>>> 
> >>>> I know, I know. Because it's faster. But we have GCM for that.
> >>> 
> >>> And saying so in the document would be valuable.
> >> 
> >> I'm still looking for the rationale for SHOULD, let alone SHOULD+
> for it.
> > 
> > With AE modes there is no rationale to use separate encryption and
> authentication that I can think of.  The rationale of using GMAC
> instead of HMAC-SHA* is: (a) better performance, and (b) security
> proofs make better (to my taste) assumptions. These two should be
> sufficient.
> 
> And I'm not objecting to it being a SHOULD with or without + for AH.
> I'm only asking about ESP.

The most important use of an authentication transform in ESP is with
NULL encryption, in which case GMAC is the clear winner because of
adequate security and exceptional performance.  

David

v2.23.0 | Report a Bug | By Email