Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Tue, 02 July 2013 15:58 UTC
Return-Path: <prvs=0895b2fc78=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF5E121F9F39 for <cfrg@ietfa.amsl.com>; Tue, 2 Jul 2013 08:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjkCPvJQl2zz for <cfrg@ietfa.amsl.com>; Tue, 2 Jul 2013 08:57:59 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 7976521F9EDB for <cfrg@irtf.org>; Tue, 2 Jul 2013 08:57:59 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r62FvnGi000413; Tue, 2 Jul 2013 11:57:49 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Yoav Nir <ynir@checkpoint.com>
Date: Tue, 02 Jul 2013 11:57:46 -0400
Thread-Topic: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
Thread-Index: Ac53PObQ5/GlfA4FRJyYQrgO+dPCAA==
Message-ID: <CDF86B4A.16CB5%uri@ll.mit.edu>
In-Reply-To: <ECC9C873-595E-42E9-B18C-5DB52F3A0DCE@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3455611066_41182161"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-07-02_07:2013-07-02, 2013-07-02, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1307020115
Cc: cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 15:58:04 -0000
On 7/2/13 11:33 , "Paul Hoffman" <paul.hoffman@vpnc.org> wrote: >On Jul 2, 2013, at 8:18 AM, Yoav Nir <ynir@checkpoint.com> wrote: > >> - I'm concerned that the only encryption algorithm is AES. Yes, I see >>that TripleDES-CBC as a MAY, but that is by now the past. AES-128-CBC is >>9 times the speed of 3DES (on an Intel platform without AES-NI based on >>"openssl speed"), and with AES-NI the ratio is likely to jump to 20. >>With GCM it's even more pronounced. So 3DES cannot be a reasonable >>alternative to AES. I think we should have some alternative that is at >>least at the SHOULD level. > >...and yet no alternative seemed reasonable enough for you to suggest. >:-) Should we either (a) delay this document until there is a >widely-agreed-on alternative that is better than 3DES or (b) pick >something now that is not widely-agreed-on and try to promote it? Neither >seems like a good option to me. IMHO, at this point there's no alternative that is either necessary or useful. Therefore I propose (c): leave this part alone and go on. If AES does get broken - we'll have a bigger problem on our hands. If patent issues aren't of concern - I would consider adding AES-*-OCB mode as either SHOULD or at least MAY. >>- I'm not sure what the point is of the MAY level. We MAY implement >>anything: SEED, Camellia, GOST. That doesn't help with interoperability > >Documenting at least one MAY-level algorithm shows that an implementation >must not assume that there is only one code point that it will need to >ever care about. As you pointed out, we MAY implement anything. If you absolutely insist that an algorithm or two MUST be mentioned in the MAY clause (:-), why not one or two of the AES competition finalists (those that did not have any attacks published)? > >>- I'm not sure about AES-GMAC for ESP authentication. Is there a reason >>why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather >>than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity >>recently (meaning that a lot of customers are asking for it). It runs >>significantly slower than HMAC-SHA1, but people have stopped reading at >>"SHA-1 is no longer secure". Still, they're not asking for GMAC, they're >>asking for SHA-256. So I think a document where the goal is >>interoperability should focus on what is becoming the de-facto standard >>as long as it's secure enough. > >Having the document list the rationale for using GMAC instead of an HMAC >would indeed be good. One reason to use AES-GMAC for ESP authentication is that ESP supports all of the following: (a) don't encrypt but authenticate, (b) authenticate but don't encrypt, (c) encrypt and authenticate. GMAC fits the (a) case perfectly. In the past, people unfamiliar with how ESP and AH evolved, had a misconception that when you need authentication you use AH, when you need encryption you use ESP, and when you need both you combine the two (ESP+AH). IMHO it was mainly because of their ignorance of the main reason behind creation of AH - the EXPORT CONTROL (of that time!) requirement for an authentication-only mode that could not have encryption retrofitted in in. I see no reason to use GMAC (or any other MAC) over encrypted (e.g., with AES-CBC) data: if you encrypt - there's no reason not to use AE/AEAD mode. If you don't encrypt - use GMAC. When given a choice between GMAC and HMAC-SHA256, the decision should be obvious (and not in favor of SHA :). More detailed review to follow. :-) TNX!
- [Cfrg] request for review of IPsec ESP and AH Usa… David McGrew
- Re: [Cfrg] request for review of IPsec ESP and AH… Yoav Nir
- Re: [Cfrg] request for review of IPsec ESP and AH… Paul Hoffman
- Re: [Cfrg] request for review of IPsec ESP and AH… Yoav Nir
- Re: [Cfrg] request for review of IPsec ESP and AH… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] request for review of IPsec ESP and AH… Paul Hoffman
- Re: [Cfrg] request for review of IPsec ESP and AH… Yoav Nir
- Re: [Cfrg] request for review of IPsec ESP and AH… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] request for review of IPsec ESP and AH… Yoav Nir
- Re: [Cfrg] request for review of IPsec ESP and AH… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] request for review of IPsec ESP and AH… Yaron Sheffer
- Re: [Cfrg] request for review of IPsec ESP and AH… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] request for review of IPsec ESP and AH… David McGrew
- Re: [Cfrg] request for review of IPsec ESP and AH… David McGrew