Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

Yoav Nir <> Tue, 02 July 2013 20:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1048911E80E1 for <>; Tue, 2 Jul 2013 13:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.224
X-Spam-Status: No, score=-10.224 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SiM1I99pkc4P for <>; Tue, 2 Jul 2013 13:31:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D4F3E11E80AE for <>; Tue, 2 Jul 2013 13:31:40 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r62KVYpr005715; Tue, 2 Jul 2013 23:31:35 +0300
X-CheckPoint: {51D338A6-1F-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Tue, 2 Jul 2013 23:31:34 +0300
From: Yoav Nir <>
To: "Blumenthal, Uri - 0558 - MITLL" <>
Thread-Topic: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
Date: Tue, 2 Jul 2013 20:31:34 +0000
Message-ID: <>
References: <1372775511.3983.76.camel@darkstar> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 116418bca71ce093fd4ab30fb2601930be24878e85
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: cfrg <>, Paul Hoffman <>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jul 2013 20:31:47 -0000

On Jul 2, 2013, at 11:01 PM, "Blumenthal, Uri - 0558 - MITLL" <> wrote:
>>>>>> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.
>>>>> Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.
>>>> I know, I know. Because it's faster. But we have GCM for that.
>>> And saying so in the document would be valuable.
>> I'm still looking for the rationale for SHOULD, let alone SHOULD+ for it.
> With AE modes there is no rationale to use separate encryption and authentication that I can think of.  The rationale of using GMAC instead of HMAC-SHA* is: (a) better performance, and (b) security proofs make better (to my taste) assumptions. These two should be sufficient.

And I'm not objecting to it being a SHOULD with or without + for AH. I'm only asking about ESP.