Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

Paul Hoffman <> Tue, 02 July 2013 16:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5DF6D11E80D1 for <>; Tue, 2 Jul 2013 09:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pSZ3Qh3230mu for <>; Tue, 2 Jul 2013 09:13:08 -0700 (PDT)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by (Postfix) with ESMTP id A9B5B11E80A2 for <>; Tue, 2 Jul 2013 09:13:08 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id r62GCvYA007040 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 2 Jul 2013 09:12:57 -0700 (MST) (envelope-from
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Paul Hoffman <>
In-Reply-To: <>
Date: Tue, 2 Jul 2013 09:12:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <1372775511.3983.76.camel@darkstar> <> <> <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1508)
Cc: cfrg <>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jul 2013 16:13:09 -0000

On Jul 2, 2013, at 8:51 AM, Yoav Nir <> wrote:

> "openssl speed" has Camellia at 70% the speed of AES. And while it's not widely implemented in IPsec, its TLS ciphersuites are implemented and enabled by default in both Chrome and Firefox, as well as in OpenSSL. If I'm not mistaken a default Firefox, and an out-of-the-box Apache server with ModSSL will use Camellia.

So you are proposing Camellia as a SHOULD for IPsec instead of TripleDES? (Yes, I'm holding your feet to the fire here.)

>>> - I'm not sure what the point is of the MAY level. We MAY implement anything: SEED, Camellia, GOST. That doesn't help with interoperability
>> Documenting at least one MAY-level algorithm shows that an implementation must not assume that there is only one code point that it will need to ever care about.
> OK, but this makes "SHOULD NOT+" strange. Am I required to remove it from my library to make it compliant?  Can I still keep the 40-bit variant of CAST that I have there? It's OK to publish a separate die-die-die document for DES like the one for MD5, but in this document?

Yes to all.

>>> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.
>> Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.
> I know, I know. Because it's faster. But we have GCM for that.

And saying so in the document would be valuable.

--Paul Hoffman