Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Jul 2, 2013, at 8:18 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> - I'm concerned that the only encryption algorithm is AES. Yes, I see that TripleDES-CBC as a MAY, but that is by now the past. AES-128-CBC is 9 times the speed of 3DES (on an Intel platform without AES-NI based on "openssl speed"), and with AES-NI the ratio is likely to jump to 20. With GCM it's even more pronounced. So 3DES cannot be a reasonable alternative to AES. I think we should have some alternative that is at least at the SHOULD level.

...and yet no alternative seemed reasonable enough for you to suggest. :-) Should we either (a) delay this document until there is a widely-agreed-on alternative that is better than 3DES or (b) pick something now that is not widely-agreed-on and try to promote it? Neither seems like a good option to me.

> - I'm not sure what the point is of the MAY level. We MAY implement anything: SEED, Camellia, GOST. That doesn't help with interoperability

Documenting at least one MAY-level algorithm shows that an implementation must not assume that there is only one code point that it will need to ever care about. 

> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.

Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.

--Paul Hoffman