Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 08 March 2014 11:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFECB1A01E1 for <ipsec@ietfa.amsl.com>; Sat, 8 Mar 2014 03:56:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySZX6e6jY9pV for <ipsec@ietfa.amsl.com>; Sat, 8 Mar 2014 03:56:12 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id DC6551A011E for <ipsec@ietf.org>; Sat, 8 Mar 2014 03:56:12 -0800 (PST)
Received: from [10.207.200.59] ([31.55.55.105]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s28Bu4Vn055805 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <ipsec@ietf.org>; Sat, 8 Mar 2014 04:56:06 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host [31.55.55.105] claimed to be [10.207.200.59]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
X-Priority: 3
In-Reply-To: <9618756DDA9C407AB0DC06AC207FD394@buildpc>
Date: Sat, 8 Mar 2014 11:56:03 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <1CD15B55-CB5D-4107-99BB-E2BF2F7A8760@vpnc.org>
References: <530CE583.6030801@gmail.com> <9618756DDA9C407AB0DC06AC207FD394@buildpc>
To: ipsec <ipsec@ietf.org>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/0pFX0_2i7ijQ3it4SimM0EdfLTE
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 11:56:14 -0000

On Mar 3, 2014, at 12:02 PM, Valery Smyslov <svanru@gmail.com> wrote:

> The draft lists the following trasforms based on AES cipher:
> 
> AES-GCM
> AES-CCM
> AES-CTR
> AES-128-CBC
> AES-GMAC
> AES-XCBC-MAC-96
> 
> All these transforms, except for AES-XCBC-MAC-96,
> allows to be used with different key lengths - 128, 192 and 256 bits.
> It looks strange to me that, unlike the others, AES-128-CBC
> has key length explicitely specified in the draft. Why it differs in
> this respect from the others? What about AES-192-CBC and
> AES-256-CBC - are they also "MUST" or "MAY"? Or even "MUST NOT"? :-)
> 
> I think the draft should either:
> - remove explicit key length from AES-128-CBC and make it just AES-CBC
> - add explicit key length to all other AES-based transforms (except for AES-XCBC-MAC-96)
> - leave things as is, but explain why AES-CBC differs in this respect from the others

The next draft changes AES-128-CBC to AES-CBC, and says:

In the following sections, all AES modes are for 128-bit AES. 192-bit AES
MAY be supported for those modes, but the requirements here are for 128-bit AES.

--Paul Hoffman