IETF Logo Mail Archive

RE: replay field size straw poll

dpkemp@missi.ncsc.mil (David P. Kemp) Tue, 11 February 1997 14:14 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA17389 for ipsec-outgoing; Tue, 11 Feb 1997 09:14:02 -0500 (EST)
Date: Tue, 11 Feb 1997 09:17:01 -0500
From: dpkemp@missi.ncsc.mil
Message-Id: <199702111417.JAA10584@argon.ncsc.mil>
To: rja@inet.org, palamber@us.oracle.com
Subject: RE: replay field size straw poll
Cc: ipsec@tis.com
X-Sun-Charset: US-ASCII
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

> 
> The questions are:
> 	
> Should AH and ESP both have a fixed size replay counter ? (Yes/No/Don't Care)
> If they have a fixed size counter, what size should it be? (32 bits/64 bits)
> Should SHA-1 output be truncated to 128 bits from 160 bits ? (Yes/No/Don't Care)
> 

1) AH and ESP should have a fixed size replay counter (Yes).

Rationale: I don't see any incremental benefit in being able to negotiate
a replay counter size online, or in allowing different transform documents
to specify different sizes.  The KISS principle says make it fixed.

1a) AH and ESP should have the same fixed size.

Rationale: no benefit in different sizes.
64 bit alignment can be achieved by MBZ pad fields.

2) The fixed size should be 32 bits.

Rationale: is there any incremental benefit in replay protection beyond
4G packets?  (4K seconds, or over an hour, at 1M packets/second).  Is it
too big a burden to refresh keys every 4G packets, even if you believe
the crypto algorithm is strong enough to use for longer?

3) SHA should be truncated to 128 bits. (Yes)

Rationale: I'm not a cryptographer, but I am persuaded by Hugo's
arguments that truncating HMAC-SHA to 128 bits is beneficial to
security robustness.  At worst, I don't believe truncating SHA
could possibly result in a less secure HMAC than using MD5.

v2.29.0 | Report a Bug | By Email | System Status