Re: [IPsec] Two questions aboutdraft-ietf-ipsecme-chacha20-poly1305-00
"Valery Smyslov" <svanru@gmail.com> Wed, 15 April 2015 07:48 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B8781B3255 for <ipsec@ietfa.amsl.com>; Wed, 15 Apr 2015 00:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.509
X-Spam-Level: **
X-Spam-Status: No, score=2.509 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_64=0.6, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqAfGuwmAwJt for <ipsec@ietfa.amsl.com>; Wed, 15 Apr 2015 00:48:20 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CA471B3272 for <ipsec@ietf.org>; Wed, 15 Apr 2015 00:48:20 -0700 (PDT)
Received: by lbbuc2 with SMTP id uc2so27412151lbb.2 for <ipsec@ietf.org>; Wed, 15 Apr 2015 00:48:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=t/9gU1dp9GtNFMqr9lHIoozcFiQBD0Ogx6kJpzWLAwk=; b=qGXhPgdIJJ0BJL7/or7oMcfBly1oCk0jTwEFDtx2AjXTcqCLtcaji5R54APazhTHK4 4szCwzp8H6W+MieIDSJuV+CJYNrTjxdRqFWcMYSosEfAeqwtzWw/XgNKH6DJamcvuJu9 Rri0vLGhIA8+wIkTMPR0oQuWasEKHZO14m8Zrr+TH8/R0DXJkRwwl/R/ysMD99PzBkIz 1Yt/Xt6C2Hx2ol3O8OeYGd8tmp48vfSWKskAH9gb/7H66SEJ+tNhPsF09FLsY40qRM8u i3Y2DniA1SHZe2bAVGS4dcWditKJMFXGGjbOhEmhgGIA/xsZac/ioqKj/YfKgf4NaP9z /HUQ==
X-Received: by 10.112.54.165 with SMTP id k5mr22696011lbp.57.1429084098779; Wed, 15 Apr 2015 00:48:18 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by mx.google.com with ESMTPSA id xg4sm761525lac.0.2015.04.15.00.48.17 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 15 Apr 2015 00:48:18 -0700 (PDT)
Message-ID: <AFB4ABB7BABF47C59AB044D559431A12@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, IETF IPsec <ipsec@ietf.org>
References: <20150330133237.21486.80504.idtracker@ietfa.amsl.com> <6E938E70-324A-424E-9D20-7067BD278165@gmail.com> <82E3B176-6865-4137-859D-CFD36FDB030F@gmail.com>
Date: Wed, 15 Apr 2015 10:48:10 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/BuI_lIuOY7jTA1T5OCKhPrmjAjM>
Subject: Re: [IPsec] Two questions aboutdraft-ietf-ipsecme-chacha20-poly1305-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 07:48:22 -0000
Hi, >> On Mar 30, 2015, at 5:39 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: >> >> Hi, >> >> There is two questions I would like guidance from the group about. >> >> First is the nonce/IV question: In the current draft, there is a 64-bit >> IV with guidance not to repeat them (so use a counter or LFSR). The >> function itself accepts a 96-bit input nonce, so the nonce is constructed >> from the 64-bit IV and 32 zero bits. The reason for doing this is so the >> algorithm could be used in a multi-sender case such as GDOI, where the >> 32-bit zero can be replaced by a sender ID. Alternatively, we could >> generate a 32-bit salt value from the key material, but I don’t see a >> reason why we’d want that. Another thing we could do is what some people >> are advocating for TLS: Since a counter is a fine IV (no need for >> secrecy), we don’t need a 64-bit IV that has the exact same value as the >> replay counter. We might as well save 8 bytes per packet and just feed >> the replay counter to the function. The argument against this is that >> some crypto modules may have the API set up in such a way that the IVs >> are generated within the module and could be something other than a >> counter (like an LFSR). The proposal will break such APIs. First, the third option is absolutely inappropriate. The draft suggests using Chacha+Poly for both ESP and IKE and in case of IKE there are no replay counter that is unique in the context of IKE SA. Message ID in IKE header _is_not_ unique - it can be repeated at least in two cases: RFC6311 and RFC7383. So, the IKE Message ID is allowed to repeat and these repetitions would be fatal for security. Among the first two options I prefer the AES-GCM-like approach - taking the needed 32 bits from the keying material. >> Second issue is about UI advice. Some implementations (yes, mine is >> included) allow the user to configure encryption algorithm, MAC >> algorithm, and D-H group. There is no setting for PRF since such UIs date >> back to IKEv1. The PRF is usually just taken from the setting for MAC >> algorithm. This works fine as long as all supported MAC algorithms are >> HMAC, XCBC, and CMAC. AES-GCM would have the same issue, but RFC 5282 >> makes no mention of this issue. I’m wondering if we should recommend to >> pair this algorithm in IKE with PRF_HMAC_SHA2_256. I think UI issues are out of scope of this draft. The draft should make no recommendations of what PRF should be used (at least it should not make such recommendations with RFC2119 keywords). Regards, Valery. >> >> Thanks >> >> Yoav > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] I-D Action: draft-ietf-ipsecme-chacha20-p… internet-drafts
- [IPsec] Two questions about draft-ietf-ipsecme-ch… Yoav Nir
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Yoav Nir
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Scott Fluhrer (sfluhrer)
- [IPsec] Early code point assignment (was: I-D Act… Yoav Nir
- [IPsec] Two questions about draft-ietf-ipsecme-ch… Tero Kivinen
- Re: [IPsec] Early code point assignment (was: I-D… Yoav Nir
- Re: [IPsec] Early code point assignment (was: I-D… Paul Wouters
- Re: [IPsec] Early code point assignment (was: I-D… Yoav Nir
- Re: [IPsec] Early code point assignment (was: I-D… Paul Wouters
- Re: [IPsec] Early code point assignment (was: I-D… Tero Kivinen
- Re: [IPsec] Early code point assignment (was: I-D… Paul Wouters
- Re: [IPsec] Early code point assignment (was: I-D… Tero Kivinen
- Re: [IPsec] Early code point assignment (was: I-D… Yoav Nir
- Re: [IPsec] Early code point assignment (was: I-D… Paul Wouters
- Re: [IPsec] Early code point assignment Yaron Sheffer
- Re: [IPsec] Early code point assignment (was: I-D… Tero Kivinen
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Yoav Nir
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Yoav Nir
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Yaron Sheffer
- Re: [IPsec] Two questions aboutdraft-ietf-ipsecme… Valery Smyslov
- Re: [IPsec] Two questions about draft-ietf-ipsecm… Michael Richardson