Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
Tero Kivinen <kivinen@iki.fi> Tue, 20 October 2009 09:07 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62E3728C0F4 for <ipsec@core3.amsl.com>; Tue, 20 Oct 2009 02:07:15 -0700 (PDT)
X-Quarantine-ID: <UMIyaLzR8ziB>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char CE hex): Cc: Alfred H\316nes <ah@tr-sys.[...]
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMIyaLzR8ziB for <ipsec@core3.amsl.com>; Tue, 20 Oct 2009 02:07:14 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 2FBA428C0F3 for <ipsec@ietf.org>; Tue, 20 Oct 2009 02:07:14 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n9K97FOD003669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Oct 2009 12:07:15 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n9K97EC5016676; Tue, 20 Oct 2009 12:07:14 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19165.32194.275245.431639@fireball.kivinen.iki.fi>
Date: Tue, 20 Oct 2009 12:07:14 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Shen Sean <sean.s.shen@gmail.com>
In-Reply-To: <80b5a9190910190108t46e6c862s9f8c48895e5b3851@mail.gmail.com>
References: <200910131509.RAA22549@TR-Sys.de> <80b5a9190910190108t46e6c862s9f8c48895e5b3851@mail.gmail.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 8 min
X-Total-Time: 9 min
Cc: ipsec@ietf.org, Alfred H�nes <ah@tr-sys.de>, draft-ietf-ipsecme-aes-ctr-ikev2@tools.ietf.org
Subject: Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2009 09:07:15 -0000
Shen Sean writes: > (3) Section 2 (and ff.) ... > The number of (internal) rounds is totally irrelevant for the > application of the AES. Any attempt to mangle with this 'parameter' > would raise significant security concerns and conformance issues. > I strongly request to elide all mention of "rounds" from the draft. I agree on that. In most cases the AES is implemented as part of cryptographic library or hardware, and for those you usually just indicate the key length to be used and that automatically selects the number of rounds. > [Sean] The intention of such a document is to give what a IKEv2 product > MUST/SHOULD/MAY provide. A user may not have "choices" of rounds or size, > but a vendor need to know what to provide. Usually even the vendor does not have choice, or even possibility to change the number of rounds, as that is hidden inside cryptographic library. > (15) Section 7 > > I suggest to more clearly indicate what this draft is expecting IANA > to do: adding a reference to this memo for an existing registration. > > | IANA has assigned 13 as the transform ID for ENCR_AES_CTR encryption > | with an explicit IV. This ID is to be used during IKE_SA > | negotiation. > --- > | Per [RFC3686], IANA has assigned 13 as the "IKEv2 Encryption > | Transform ID" to the name "ENCR_AES_CTR" for AES-CTR encryption with > | an explicit IV, in the IANA "Internet Key Exchange Version 2 (IKEv2) > | Parameters" registry. This document specifies how to use this > | transform during IKE_SA negotiations. Hence IANA should add to that > | entry a reference to this RFC. > [Sean] It's a good point, but for IANA's reference to this document, I > assume iana will updated their reference (following some rocedure?) when > this document is processed. Let me know if we have to request it in the > draft. I would not count on that. For example IANA didn't update the ENCR_AES-CCM_* or AES_GCM with a * octect ICV references for the RFC5282 automatically, so better add text there. -- kivinen@iki.fi
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Paul Koning
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes