Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts

Tero Kivinen <kivinen@iki.fi> Mon, 03 March 2014 15:54 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8AD31A021B for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:54:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxWJtHq70p_B for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:54:05 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6971A0217 for <ipsec@ietf.org>; Mon, 3 Mar 2014 07:54:04 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s23FrwN7020857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 3 Mar 2014 17:53:58 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s23Frwj8018301; Mon, 3 Mar 2014 17:53:58 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21268.42389.983348.801438@fireball.kivinen.iki.fi>
Date: Mon, 3 Mar 2014 17:53:57 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Valery Smyslov" <svanru@gmail.com>
In-Reply-To: <9618756DDA9C407AB0DC06AC207FD394@buildpc>
References: <530CE583.6030801@gmail.com> <9618756DDA9C407AB0DC06AC207FD394@buildpc>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 13 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/4hmEWXrNMdrHM5jFF8ZRAYLhfDU
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 15:54:06 -0000

Valery Smyslov writes:
> The draft lists the following trasforms based on AES cipher:
> 
> AES-GCM
> AES-CCM
> AES-CTR
> AES-128-CBC
> AES-GMAC
> AES-XCBC-MAC-96
> 
> All these transforms, except for AES-XCBC-MAC-96,
> allows to be used with different key lengths - 128, 192 and 256 bits.
> It looks strange to me that, unlike the others, AES-128-CBC
> has key length explicitely specified in the draft. Why it differs in
> this respect from the others? What about AES-192-CBC and
> AES-256-CBC - are they also "MUST" or "MAY"? Or even "MUST NOT"? :-)

Hmm... actually we should most like use the same names we use in the
IANA registry. For example we have 3 different types of AES-GCM:

18   AES-GCM with a 8 octet ICV    [RFC4106]   [RFC5282]
19   AES-GCM with a 12 octet ICV   [RFC4106]   [RFC5282]
20   AES-GCM with a 16 octet ICV   [RFC4106]   [RFC5282]

Which one of those is the one that is moved to SHOULD+? Should we just
pick one of them, and say that it is the one we prefer, or should all
implementations implement all of them? AES-CCM has similar thing, but
as they are moving to MAY it does not really matter.

And yes, I agree the AES-128-CBC should be changed to AES-CBC. In the
RFC4305 and RFC4835 we had text like "AES-CBC with 128-bit keys", but
as we now have more AES modes, we should probably just add text saying
that for 128-bit keys for AES is MUST.

Also for AES-GMAC we need to decide which of the ones we are saying is
SHOULD+:

9	AUTH_AES_128_GMAC	[RFC4543]
10 	AUTH_AES_192_GMAC 	[RFC4543]
11 	AUTH_AES_256_GMAC 	[RFC4543]


> I think the draft should either:
> - remove explicit key length from AES-128-CBC and make it just
> AES-CBC
> - add explicit key length to all other AES-based transforms (except for 
> AES-XCBC-MAC-96)

AES-XCBC-MAC-96 is always defined to be have 128-bit key. The key
length cannot be negotiated when using the authentication algorithm,
it can only be negotiated for the encryption keys. Thats why the
AUTH_AES_*_GMAC authentication algorithms are defined as 3 different
algorithms. 

> - leave things as is, but explain why AES-CBC differs in this respect from 
> the others

I think that is bad idea.

I think the best is to say that in general with AES encryption (GCM,
CBC, CCM etc) we assume the key length is 128-bits. (i.e. the
MUST for AES-CBC is for 128-bit keys, and the SHOULD+ for AES-GCM is
also for 128-bit keys with x octect ICV). 
-- 
kivinen@iki.fi