[IPsec] comments on draft-ietf-ipsecme-aes-ctr-ikev2-05.txt
David McGrew <mcgrew@cisco.com> Mon, 08 March 2010 16:33 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F2D3A6A85 for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 08:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.75
X-Spam-Level:
X-Spam-Status: No, score=-8.75 tagged_above=-999 required=5 tests=[AWL=1.849, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30huqBWTKXew for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 08:33:23 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id BEB823A69C0 for <ipsec@ietf.org>; Mon, 8 Mar 2010 08:33:20 -0800 (PST)
Authentication-Results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEABK1lEurRN+K/2dsb2JhbACbKHOhcJgVhHgEgxc
X-IronPort-AV: E=Sophos;i="4.49,603,1262563200"; d="scan'208";a="215953318"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-3.cisco.com with ESMTP; 08 Mar 2010 16:33:25 +0000
Received: from stealth-10-32-254-212.cisco.com (stealth-10-32-254-212.cisco.com [10.32.254.212]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o28GXN0r007073; Mon, 8 Mar 2010 16:33:24 GMT
Message-Id: <5E118307-CA36-4182-B5B0-A6431487899F@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, sean.s.shen@gmail.com, yumao9@gmail.com, ssmurthy.nittala@freescale.com
In-Reply-To: <p06240825c7b4519f594c@[10.20.30.158]>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 08 Mar 2010 08:33:23 -0800
References: <p06240825c7b4519f594c@[10.20.30.158]>
X-Mailer: Apple Mail (2.936)
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] comments on draft-ietf-ipsecme-aes-ctr-ikev2-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 16:33:26 -0000
The statement that "Although the [RFC4307] specifies that the AES-CTR encryption algorithm feature SHOULD be supported by IKEv2, no existing document specifies how IKEv2 can support the feature" is not completely correct. RFC 5282 specifies how to use AES in the Galois Counter Mode (GCM) and Counter and CBC-MAC (CCM) modes of operation. Neither this draft nor RFC 4307 provides any rationale for why or when AES-CTR should be used. If it is considered useful because CTR can be pipelined or implemented in parallel, then the considerations of http://tools.ietf.org/html/draft-mcgrew-esp-ah-algo-update-00#section-3 would apply. What value is there is promoting the use of AES-CTR when better technical alternatives exist and are on standards track? If the sole motivation for this standard is to correct the inconsistency between RFC 4307 and RFC 3686, then the draft should include a statement to that effect, and mention the IKEv2 transforms that have all of the advantages of AES-CTR already exist. The draft is not very clear on how AES-CTR is supposed to be implemented. What is the counter format and what is the increment function? If the intent is to copy RFC 3686 then this needs to be made more explicit. David On Mar 3, 2010, at 9:51 AM, Paul Hoffman wrote: >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the IP Security Maintenance and >> Extensions Working Group of the IETF. >> >> Title : Using Advanced Encryption Standard (AES) Counter Mode >> with IKEv2 >> Author(s) : S. Shen, Y. Mao, S. murthy >> Filename : draft-ietf-ipsecme-aes-ctr-ikev2-05.txt >> Pages : 10 >> Date : 2010-3-2 >> >> This document describes the usage of Advanced Encryption Standard >> Counter Mode (AES-CTR), with an explicit initialization vector, by >> IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT >> exchange. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-aes-ctr-ikev2-05.txt > > Based on Pasi's AD review, the authors significantly shortened the > document. It seems prudent to have the WG review the new, shorter > version. In particular, it would be good for developers to look at > the new short document and see if it is complete enough to implement > from. > > This review cycle will end in a week, but please do the review early > in case problems are found. > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Please review draft-ietf-ipsecme-aes-ctr-… Paul Hoffman
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Yoav Nir
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Raj Singh
- [IPsec] Please review draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Tero Kivinen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Scott C Moonen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen 沈烁
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen 沈烁
- [IPsec] comments on draft-ietf-ipsecme-aes-ctr-ik… David McGrew
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Paul Hoffman
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Dan Harkins
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Paul Hoffman