Re: [Ipsec] Comments about draft-solinas-ui-suites-00
Russ Housley <housley@vigilsec.com> Fri, 15 December 2006 18:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GvI1L-0007pP-Ht; Fri, 15 Dec 2006 13:42:59 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GvI1L-0007pI-6F for ipsec@ietf.org; Fri, 15 Dec 2006 13:42:59 -0500
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1GvI1J-0007cV-Ug for ipsec@ietf.org; Fri, 15 Dec 2006 13:42:59 -0500
Received: (qmail 22977 invoked by uid 0); 15 Dec 2006 18:42:53 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 15 Dec 2006 18:42:53 -0000
Message-Id: <7.0.0.16.2.20061215133741.0405bab0@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Fri, 15 Dec 2006 13:42:54 -0500
To: Pasi.Eronen@nokia.com, ipsec@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [Ipsec] Comments about draft-solinas-ui-suites-00
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240381F7F3@esebe105.NOE.Noki a.com>
References: <B356D8F434D20B40A8CEDAEC305A1F240381F7F3@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: lelaw@orion.ncsc.mil
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
Pasi: As you have already seen on this list, Scott Kelly is working on an update to draft-kelly-ipsec-ciph-sha2. Once that is done, a reference will be added. I hope to progress the two documents at the same time. This should resolve comments 1) and 2). As for comment 3), the authors acknowledge that you have a good point. However, they prefer SHA-384 over SHA-512 because SHA-384 is a Suite B algorithm and SHA-512 is not. Moreover, if the user is also using ECDSA-384 digital signatures, then he will need to have SHA-384 anyway. Russ >A couple of minor comments about this draft: > >1) The document needs a reference to draft-kelly-ipsec-ciph-sha2, >which specifies how to use SHA-256 with IPsec. > >2) Currently draft-kelly-ipsec-ciph-sha2 specifies only SHA-256 >based integrity/PRF algorithms, but not SHA-384 or SHA-512, so >"Suite-B-GCM-256" and "Suite-B-GMAC-256" are not actually >implementable using currently existing documents. > >3) Given that SHA-384 is basically SHA-512 truncated to 384 bits >(and with different IV), do we really need e.g. a SHA-384 based >PRF for IKEv2? Wouldn't it be simpler just to use SHA-512? >(There are applications where using SHA-384 may make sense, but >I'm not sure IKEv2 PRF is one of them...) > >Best regards, >Pasi _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Comments about draft-solinas-ui-suites-00 Pasi.Eronen
- Re: [Ipsec] Comments about draft-solinas-ui-suite… Scott G Kelly
- Re: [Ipsec] Comments about draft-solinas-ui-suite… Russ Housley