Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 02 July 2013 15:33 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B44121F9F2A for <cfrg@ietfa.amsl.com>; Tue, 2 Jul 2013 08:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlZOVhN3BKRY for <cfrg@ietfa.amsl.com>; Tue, 2 Jul 2013 08:33:20 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id ADF4721F9F1E for <cfrg@irtf.org>; Tue, 2 Jul 2013 08:33:20 -0700 (PDT)
Received: from [10.20.30.90] (50-1-98-228.dsl.dynamic.sonic.net [50.1.98.228]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id r62FXAt3006044 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 2 Jul 2013 08:33:11 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <30837097-4DB3-495C-86F4-42C76B634864@checkpoint.com>
Date: Tue, 2 Jul 2013 08:33:10 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <ECC9C873-595E-42E9-B18C-5DB52F3A0DCE@vpnc.org>
References: <1372775511.3983.76.camel@darkstar> <30837097-4DB3-495C-86F4-42C76B634864@checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1508)
Cc: cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 15:33:21 -0000

On Jul 2, 2013, at 8:18 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> - I'm concerned that the only encryption algorithm is AES. Yes, I see that TripleDES-CBC as a MAY, but that is by now the past. AES-128-CBC is 9 times the speed of 3DES (on an Intel platform without AES-NI based on "openssl speed"), and with AES-NI the ratio is likely to jump to 20. With GCM it's even more pronounced. So 3DES cannot be a reasonable alternative to AES. I think we should have some alternative that is at least at the SHOULD level.

...and yet no alternative seemed reasonable enough for you to suggest. :-) Should we either (a) delay this document until there is a widely-agreed-on alternative that is better than 3DES or (b) pick something now that is not widely-agreed-on and try to promote it? Neither seems like a good option to me.

> - I'm not sure what the point is of the MAY level. We MAY implement anything: SEED, Camellia, GOST. That doesn't help with interoperability

Documenting at least one MAY-level algorithm shows that an implementation must not assume that there is only one code point that it will need to ever care about. 

> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.

Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.

--Paul Hoffman