IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Yoav Nir <ynir@checkpoint.com> Thu, 08 November 2012 21:44 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2FD621F855E for <ipsec@ietfa.amsl.com>; Thu, 8 Nov 2012 13:44:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level:
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojmPm+UT+xSf for <ipsec@ietfa.amsl.com>; Thu, 8 Nov 2012 13:44:34 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1777921F85E3 for <ipsec@ietf.org>; Thu, 8 Nov 2012 13:44:32 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qA8LiPaA027122; Thu, 8 Nov 2012 23:44:25 +0200
X-CheckPoint: {509C24F3-4-1B221DC2-2FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Thu, 8 Nov 2012 23:44:25 +0200
Received: from il-ex01.ad.checkpoint.com ([194.29.34.26]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Thu, 8 Nov 2012 23:44:25 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
Date: Thu, 08 Nov 2012 23:44:23 +0200
Thread-Topic: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
Thread-Index: Ac29+jhQAvMTELTvTxy8NgA++UttVQ==
Message-ID: <3E61AE58-F8E5-4213-8C36-189238CD8E9C@checkpoint.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F509D58@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F509D58@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <Manfred.Lochter@bsi.bund.de>, Johannes Merkle <johannes.merkle@secunet.com>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 21:44:34 -0000

On Nov 8, 2012, at 4:24 PM, David McGrew (mcgrew) wrote:

> 
> 
> On 11/8/12 3:26 AM, "Johannes Merkle" <johannes.merkle@secunet.com> wrote:
> 
>> Hi Tero,
>> 
>>> Every single option adds complexity, so I do not think we should add
>>> more optional things.
>> 
>> Point compression is not the focus of our draft. Given the opposition it
>> is facing here, I suggest to wait for further
>> replies and if point compression turns out to be objected by the majority
>> on this list, I will not insist on this feature.
>> BTW: In an earlier thread Dan Haskins has already indicated his
>> preference to leave point compression out.
>> 
>>> 
>>> Not sending the CERT, but replacing it with hash and url offers much
>>> bigger savings, and people are not even doing that.
>> You can not be sure that this option isn't used is some constrained
>> environments.
>> 
>> Just a note: the relative saving of point compression is larger when
>> sending hash + URL instead of the CERT.
> 
> What's the scenario here?   If hash + URL is sent, the certificate still
> has to be retrieved.  It might not be part of the IKE exchange, but moving
> it to HTTP doesn't mean that it doesn't contribute to bytes on the wire
> (or over the air, in the case of wireless).
> 

Since we tend to meet the same people all the time (or communicate with the same parties), usually the hash+URL would lead to retrieving the certificate from a cache, rather than from a remote web server.

Of course, if my implementation is running on a "thing", it doesn't have a cache and this argument doesn't apply.

Yoav

v2.23.0 | Report a Bug | By Email