RE: [Ipsec] Last Call: 'The AES-CMAC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)' to Proposed Standard
Pasi.Eronen@nokia.com Mon, 06 February 2006 14:56 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F67me-00044L-Js; Mon, 06 Feb 2006 09:56:04 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F67md-00043l-6q; Mon, 06 Feb 2006 09:56:03 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA24682; Mon, 6 Feb 2006 09:54:13 -0500 (EST)
From: Pasi.Eronen@nokia.com
Received: from host50.foretec.com ([65.246.255.50] helo=mx2.foretec.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F67ye-00004v-IU; Mon, 06 Feb 2006 10:08:32 -0500
Received: from mgw-ext04.nokia.com ([131.228.20.96]) by mx2.foretec.com with esmtp (Exim 4.24) id 1F67mO-0005I6-Sv; Mon, 06 Feb 2006 09:55:50 -0500
Received: from esebh107.NOE.Nokia.com (esebh107.ntc.nokia.com [172.21.143.143]) by mgw-ext04.nokia.com (Switch-3.1.7/Switch-3.1.7) with ESMTP id k16ErVFP021805; Mon, 6 Feb 2006 16:53:35 +0200
Received: from esebh101.NOE.Nokia.com ([172.21.138.177]) by esebh107.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Feb 2006 16:53:24 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh101.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Feb 2006 16:53:24 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5.7233.31
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Last Call: 'The AES-CMAC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)' to Proposed Standard
Date: Mon, 06 Feb 2006 16:53:36 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F24022F36C2@esebe105.NOE.Nokia.com>
In-Reply-To: <p0623090fc0096d49718a@[10.20.30.249]>
Thread-Topic: [Ipsec] Last Call: 'The AES-CMAC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)' to Proposed Standard
Thread-Index: AcYpAV6Qb3IsM8PfQtSiT/yaOL5e/QCKupHA
To: iesg@ietf.org, ipsec@ietf.org
X-OriginalArrivalTime: 06 Feb 2006 14:53:24.0172 (UTC) FILETIME=[145BC8C0:01C62B2D]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
A couple of comments for IETF last call. Nothing major, mostly the document seems OK. 1) Section 3 writes "When using the PRF described in this document with IKEv2, the PRF is considered to be fixed-length for generating keying material but variable-length for authentication." Draft-hoffman-rfc3664bis included this "somewhat tortured logic" to preserve compatibility with RFC 3664. Here we don't have the compatibility issue, so wouldn't it be simpler to consider it variable-length for all purposes? 2) Section 6 says: "However, if using collision-resistant hash function such as AES-CMAC when generating new key for pseudo-random function" It's pretty trivial to show that f(x)=AES-CMAC(0^128,x) is not a collision-resistant hash function. But collision-resistance is not exactly the property we need here, because the input VK is secret. 3) Section 6 says: "Keys need to be chosen at random based on RFC 4086 [RFC4086] and should be kept in safe and periodically refreshed." This paragraph doesn't make much sense in a document which defines a PRF for IKEv2. The keys come from the DH exchange (etc.), and thus cannot be chosen at random according to RFC 4086 (with the exception of manually configured shared secret). 4) An extremely quick and rough implementation (not based on the draft-songlee-aes-cmac code) produced the same values as the test vectors listed in the draft. Purely editorial suggestions: 5) idnits: "There are 37 instances of too long lines in the document, the longest one being 717 characters in excess of 72." 6) Abstract: The abstact is copied from RFC 3664 (and was OK there), but might need some rephrasing here: we already have one AES-based PRF for IKEv2, so why another? (draft-songlee-aes- cmac-96 has some motivational text) 7) Section 1: "128 bits output is useful as a long-lived pseudo- random function (PRF) in either IKE version 1 or version 2." Since this document does not specify a PRF for IKEv1, mentioning it is a bit confusing. 8) Section 9.1: IKEv2 is now RFC 4306. 9) Section 9.2: Neither [AH] not [ROADMAP] are cited anywhere in the text; suggest removing them. Best regards, Pasi _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec