Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Jul 2, 2013, at 8:51 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> "openssl speed" has Camellia at 70% the speed of AES. And while it's not widely implemented in IPsec, its TLS ciphersuites are implemented and enabled by default in both Chrome and Firefox, as well as in OpenSSL. If I'm not mistaken a default Firefox, and an out-of-the-box Apache server with ModSSL will use Camellia.

So you are proposing Camellia as a SHOULD for IPsec instead of TripleDES? (Yes, I'm holding your feet to the fire here.)

>>> - I'm not sure what the point is of the MAY level. We MAY implement anything: SEED, Camellia, GOST. That doesn't help with interoperability
>> 
>> Documenting at least one MAY-level algorithm shows that an implementation must not assume that there is only one code point that it will need to ever care about.
> 
> OK, but this makes "SHOULD NOT+" strange. Am I required to remove it from my library to make it compliant?  Can I still keep the 40-bit variant of CAST that I have there? It's OK to publish a separate die-die-die document for DES like the one for MD5, but in this document?

Yes to all.

>>> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.
>> 
>> Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.
> 
> I know, I know. Because it's faster. But we have GCM for that.

And saying so in the document would be valuable.

--Paul Hoffman