IETF Logo Mail Archive

Re: [Hipsec] Proposed new list for HIP_TRANSFORM

Robert Moskowitz <rgm@htt-consult.com> Wed, 06 January 2010 22:31 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 325413A683D for <hipsec@core3.amsl.com>; Wed, 6 Jan 2010 14:31:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwDmoqNQw0uZ for <hipsec@core3.amsl.com>; Wed, 6 Jan 2010 14:31:02 -0800 (PST)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id D05DA3A6405 for <hipsec@ietf.org>; Wed, 6 Jan 2010 14:31:01 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 5387E68B21; Wed, 6 Jan 2010 23:28:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pl9gphE28OQN; Wed, 6 Jan 2010 18:28:29 -0500 (EST)
Received: from nc2400.htt-consult.com (unknown [IPv6:2607:f4b8:3:1:21b:77ff:fe43:978]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 522AD68B91; Wed, 6 Jan 2010 18:28:29 -0500 (EST)
Message-ID: <4B450F18.3020103@htt-consult.com>
Date: Wed, 06 Jan 2010 17:30:48 -0500
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Thunderbird/3.0
MIME-Version: 1.0
To: miika.komu@hiit.fi
References: <4B440CA5.3010209@htt-consult.com> <4B44C35E.8090200@hiit.fi> <4B44CA15.2070905@htt-consult.com> <4B44D016.7050102@hiit.fi> <4B44D414.4080501@htt-consult.com> <4B450297.1070708@hiit.fi> <4B4505A8.4010009@htt-consult.com> <4B45061D.8000201@hiit.fi>
In-Reply-To: <4B45061D.8000201@hiit.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] Proposed new list for HIP_TRANSFORM
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2010 22:31:03 -0000

On 01/06/2010 04:52 PM, Miika Komu wrote:
> Robert Moskowitz wrote:
>
> Hi,
>
>> On 01/06/2010 04:37 PM, Miika Komu wrote:
>>> Robert Moskowitz wrote:
>>>
>>> Hi,
>>>
>>>> On 01/06/2010 01:01 PM, Miika Komu wrote:
>>>>> Robert Moskowitz wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>> On 01/06/2010 12:07 PM, Miika Komu wrote:
>>>>>>> Robert Moskowitz wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>> Proposed new list for HIP_TRANSFORM:
>>>>>>>>
>>>>>>>>          Suite ID                          Value
>>>>>>>>
>>>>>>>>          RESERVED                          0
>>>>>>>>          AES-CBC with HMAC-SHA1            1     ([RFC3602], 
>>>>>>>> [RFC2404])
>>>>>>>>          3DES-CBC with HMAC-SHA1           2     ([RFC2451], 
>>>>>>>> [RFC2404])
>>>>>>>>          DEPRECATED                        3
>>>>>>>>          BLOWFISH-CBC with HMAC-SHA1       4     ([RFC2451], 
>>>>>>>> [RFC2404])
>>>>>>>>          NULL-ENCRYPT with HMAC-SHA1       5     ([RFC2410], 
>>>>>>>> [RFC2404])
>>>>>>>>          DEPRECATED                        6
>>>>>>>>          NULL-ENCRYPT with HMAC-SHA2       7     ([RFC2410], 
>>>>>>>> [RFC4868])
>>>>>>>>          AES-CBC with HMAC-SHA2            8     ([RFC3602], 
>>>>>>>> [RFC4868])
>>>>>>>>          AES-CCM-8                         9     [RFC4309]
>>>>>>>>          AES-CCM-12                        10    [RFC4309]
>>>>>>>>          AES-CCM-16                        11    [RFC4309]
>>>>>>>>          AES-GCM with a 8 octet ICV        12    [RFC4106]
>>>>>>>>          AES-GCM with a 12 octet ICV       13    [RFC4106]
>>>>>>>>          AES-GCM with a 16 octet ICV       14    [RFC4106]
>>>>>>>
>>>>>>> seems fine with me. Should the "natural" key size be reflected 
>>>>>>> in some of the algorithms descriptions?
>>>>>>
>>>>>> I am not sure what you are alluding to here.  Key sizes for 
>>>>>> AES-based transforms start at 128 and go up.  If you are asking 
>>>>>> about those 8/12/16 sizes in CCM and GCM, that applies to the 
>>>>>> auth size.
>>>>>
>>>>> do we have to negotiate AES key size?
>>>>
>>>> OOPS.  Good catch.  We want to make sure we have Suite B support...
>>>>
>>>> Trying to dig around, how is it handled elsewhere, an ISAKMP 
>>>> keysize TLV for IKE and ESP?
>>>>
>>>> I have some thoughts for a simple way here...
>>>
>>> either we fix the key size in the suite id or we negotiate it as 
>>> max(key-size-in-r1, key-size-in-i2).
>>
>> So we either add a KEYSIZE parameter or change the HIP_TRANSFORM 
>> parameter to include a key size.  Any why the max of the two?  Rather 
>> the max in common.  Say R1 has 128, 192, 256 and I2 has 128 and 192.  
>> Thus the agreed keysize is 192, not 256.
>
> it could be also "initiator chooses".

that makes the R1 key sizes being the offer, and I2 being the 
selection.  I don't have a problem with that.

Now is there any changes to any of the transforms based on the keysize?  
I hope not!

v2.23.0 | Report a Bug | By Email