Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
Alfred Hönes <ah@TR-Sys.de> Fri, 23 October 2009 11:44 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14A363A6882 for <ipsec@core3.amsl.com>; Fri, 23 Oct 2009 04:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.17
X-Spam-Level: **
X-Spam-Status: No, score=2.17 tagged_above=-999 required=5 tests=[AWL=0.919, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFDzxueQJsdP for <ipsec@core3.amsl.com>; Fri, 23 Oct 2009 04:44:53 -0700 (PDT)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 79C8B3A6843 for <ipsec@ietf.org>; Fri, 23 Oct 2009 04:44:47 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA295128237; Fri, 23 Oct 2009 13:43:57 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id NAA18006; Fri, 23 Oct 2009 13:43:47 +0200 (MESZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <200910231143.NAA18006@TR-Sys.de>
To: sean.s.shen@gmail.com
Date: Fri, 23 Oct 2009 13:43:47 +0200
In-Reply-To: <80b5a9190910230412of646dadx991f3f9cc19b8e84@mail.gmail.com> from Sean Shen at Oct "23, " 2009 "07:12:22" pm
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: quoted-printable
Cc: ipsec@ietf.org, Paul_Koning@dell.com, draft-ietf-ipsecme-aes-ctr-ikev2@cabernet.tools.IETF.ORG, kivinen@iki.fi
Subject: Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2009 11:44:54 -0000
Sean Shen wrote: > Section 2.2 says that "AES MUST use different rounds for each of the > key sizes: ...". > The draft is not trying to say that IKEv2 requires 10/12/14 rounds for > 128/192/256 key lengths. The draft is not trying to say that AES-CTR > requires 10/12/14 rounds for 128/192/256 key lengths. > > Sean > > ... The "MUST" still makes the difference! That is normative and does NOT belong into this draft. Although that would still be regarded out of scope of your draft, I would be more willing to accept an _informative_ statement like: "Note: AES uses different rounds for each of the key sizes: ...". ^^^^^^ ^^^^ But the most important topic remains: The draft is ill-advised in pretending that the interface of AES -- or, btw, *any* currently sensibly used block cipher primitive of reasonable strength -- had an _external_ parameter "number of rounds" that upper protocol (sub-)layers would need to have to deal with. Otherwise, the "IKEv2 Transform Attribute Types" would have to include an entry for "number of rounds", which it doesn't, and you also do not aim at establishing such entry. For the sake of terminological precision and consistency with existing specifications (and such to avoid confusion), a draft about the usage of a cryptographic primitive in IPsec/IKE should only denote as "algorithm parameter" what indeed has to be expressed as such in SA crypto-algorithm negotiations. Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Paul Koning
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes