Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance

Yoav Nir <> Tue, 02 July 2013 18:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 52F5A21F9AFA for <>; Tue, 2 Jul 2013 11:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id drd4Esh5MBQU for <>; Tue, 2 Jul 2013 11:56:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 20D8321F8D73 for <>; Tue, 2 Jul 2013 11:55:59 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r62ItsFU002597; Tue, 2 Jul 2013 21:55:58 +0300
X-CheckPoint: {51D3223A-14-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Tue, 2 Jul 2013 21:55:54 +0300
From: Yoav Nir <>
To: Paul Hoffman <>
Thread-Topic: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
Date: Tue, 2 Jul 2013 18:55:53 +0000
Message-ID: <>
References: <1372775511.3983.76.camel@darkstar> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11ca6f74aeab54e57fb5e5e3f1ecc593779e72aa6e
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: cfrg <>
Subject: Re: [Cfrg] request for review of IPsec ESP and AH Usage Guidance
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jul 2013 18:56:06 -0000

On Jul 2, 2013, at 7:12 PM, Paul Hoffman <>;

> On Jul 2, 2013, at 8:51 AM, Yoav Nir <>; wrote:
>> "openssl speed" has Camellia at 70% the speed of AES. And while it's not widely implemented in IPsec, its TLS ciphersuites are implemented and enabled by default in both Chrome and Firefox, as well as in OpenSSL. If I'm not mistaken a default Firefox, and an out-of-the-box Apache server with ModSSL will use Camellia.
> So you are proposing Camellia as a SHOULD for IPsec instead of TripleDES? (Yes, I'm holding your feet to the fire here.)

Yes. The algorithms we've heard about are GOST, SEED, and Camellia. All others are too obscure, including the old AES competition contenders. GOST uses a 64-bit block, and of the other two Camellia gets more use because of OpenSSL and Firefox.

>>>> - I'm not sure what the point is of the MAY level. We MAY implement anything: SEED, Camellia, GOST. That doesn't help with interoperability
>>> Documenting at least one MAY-level algorithm shows that an implementation must not assume that there is only one code point that it will need to ever care about.
>> OK, but this makes "SHOULD NOT+" strange. Am I required to remove it from my library to make it compliant?  Can I still keep the 40-bit variant of CAST that I have there? It's OK to publish a separate die-die-die document for DES like the one for MD5, but in this document?
> Yes to all.

I would prefer that the line about DES would be gone completely.

>>>> - I'm not sure about AES-GMAC for ESP authentication. Is there a reason why someone would prefer to use AES-CBC or AES-CTR with AES-GMAC rather than AES-GCM? Also, the HMAC-SHA256 algorithm has gained popularity recently (meaning that a lot of customers are asking for it). It runs significantly slower than HMAC-SHA1, but people have stopped reading at "SHA-1 is no longer secure". Still, they're not asking for GMAC, they're asking for SHA-256. So I think a document where the goal is interoperability should focus on what is becoming the de-facto standard as long as it's secure enough.
>>> Having the document list the rationale for using GMAC instead of an HMAC would indeed be good.
>> I know, I know. Because it's faster. But we have GCM for that.
> And saying so in the document would be valuable.

I'm still looking for the rationale for SHOULD, let alone SHOULD+ for it.