[IPsec] 答复: New Version Notification for draft-guo-ipsecme-ikev2-using-shangmi-00.txt
"Xialiang(Frank, IP Security Standard)" <frank.xialiang@huawei.com> Tue, 12 March 2024 03:51 UTC
Return-Path: <frank.xialiang@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39420C14F686 for <ipsec@ietfa.amsl.com>; Mon, 11 Mar 2024 20:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5Isk2HOFt47 for <ipsec@ietfa.amsl.com>; Mon, 11 Mar 2024 20:51:11 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64523C14F60D for <ipsec@ietf.org>; Mon, 11 Mar 2024 20:51:11 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Tv06t2Z4yz6K5pm; Tue, 12 Mar 2024 11:51:02 +0800 (CST)
Received: from lhrpeml500004.china.huawei.com (unknown [7.191.163.9]) by mail.maildlp.com (Postfix) with ESMTPS id B3F181400CA; Tue, 12 Mar 2024 11:51:07 +0800 (CST)
Received: from kwepemi100001.china.huawei.com (7.221.188.215) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 12 Mar 2024 03:51:06 +0000
Received: from kwepemi500026.china.huawei.com (7.221.188.247) by kwepemi100001.china.huawei.com (7.221.188.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 12 Mar 2024 11:51:05 +0800
Received: from kwepemi500026.china.huawei.com ([7.221.188.247]) by kwepemi500026.china.huawei.com ([7.221.188.247]) with mapi id 15.01.2507.035; Tue, 12 Mar 2024 11:51:05 +0800
From: "Xialiang(Frank, IP Security Standard)" <frank.xialiang@huawei.com>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, guoyanfei <guoyanfei3@huawei.com>, Yu Fu <fuy186@chinaunicom.cn>
Thread-Topic: [IPsec] New Version Notification for draft-guo-ipsecme-ikev2-using-shangmi-00.txt
Thread-Index: AdpSeegQIksjgMkRSU6zMWc0xw1IwwgjiZcAAEoBwQA=
Date: Tue, 12 Mar 2024 03:51:05 +0000
Message-ID: <139bb5cb166846d1a047e5de6a2cefb4@huawei.com>
References: <a94d736ce8df4d649b1dab089128a593@huawei.com> <23f6de95-0ddc-bd03-f762-9943a94009c9@nohats.ca>
In-Reply-To: <23f6de95-0ddc-bd03-f762-9943a94009c9@nohats.ca>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.117]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/PulsG5Z8DmX_rlqtoXORCJlWz1E>
Subject: [IPsec] 答复: New Version Notification for draft-guo-ipsecme-ikev2-using-shangmi-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 03:51:15 -0000
Hi Paul: Thanks for your advices and the comments for the draft! About your suggestion of ISE process, and the IPSecME WG "Expert Review", we will follow this existing way. For the comments corresponding to the CBC and GCM variant, please find my response as follows: For CBC variant, we keep it here because for IKEv2 and ESP (RFC 7296, RFC 3602), this encryption mode is still valid and not deprecated (see the reference https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5). In addition, the specification for the using of ShangMi in IPsec in China also keeps CBC mode. Considering backward compatibility and the above reasons, deprecating the CBC mode perhaps may be not a good choice in our draft. For GCM variant, currently, there may be no ghash hardware instructions which can be used directly by GCM variants, but we can use the multiplication instruction to speed up ghash. SM4 computation can also benifit from CPU instruction acceleration. I hope the above response can address your concern and any other comments are welcome any time. Thanks! B.R. Frank -----邮件原件----- 发件人: Paul Wouters <paul@nohats.ca> 发送时间: 2024年3月11日 8:29 收件人: Xialiang(Frank, IP Security Standard) <frank.xialiang@huawei.com> 抄送: ipsec@ietf.org; guoyanfei <guoyanfei3@huawei.com>; Yu Fu <fuy186@chinaunicom.cn> 主题: Re: [IPsec] New Version Notification for draft-guo-ipsecme-ikev2-using-shangmi-00.txt On Mon, 29 Jan 2024, Xialiang(Frank, IP Security Standard) wrote: > We have submitted this new draft “Using ShangMi in the Internet Key Exchange Protocol Version 2 (IKEv2)”, which defines a set of cryptographic transforms for using in the IKEv2 based on Chinese cryptographic standard algorithms (called "ShangMi" or “SM” algorithms). > The SM algorithms are mandatory in China, so this document provides a description of how to use the SM algorithms with IKEv2 and specifies a set of cryptographic transforms so that implementers can produce interworking implementations. Thanks for the document. I believe the best way forward for these would be via the ISE. In which case the Working Group and Intended Status would need to be updated. But if the document proceeds that way, please keep the IPsecME WG in the loop. All the registries involved are "Expert Review", so it can be registered regardless of where or how the specification is published. As for the draft itself, I have two questions. Is the CBC variant really neccessary? CBS is being made historic or deprecated for all other IETF uses (eg see TLS 1.3). Why introduce it now for IKEv2 and ESP in combination with ShangMi ? For the GCM variants, do you know if these can make use of the ghash hardware instructions? As in, would ENCR_SM4_GCM also benefit from CPU hardware instructions available? Regards, Paul > Your comments are warmly welcome! > > B.R. > Frank > > -----邮件原件----- > 发件人: internet-drafts@ietf.org <internet-drafts@ietf.org> > 发送时间: 2024年1月29日 14:09 > 收件人: Xialiang(Frank, IP Security Standard) > <frank.xialiang@huawei.com>; guoyanfei <guoyanfei3@huawei.com>; Yu Fu > <fuy186@chinaunicom.cn> > 主题: New Version Notification for > draft-guo-ipsecme-ikev2-using-shangmi-00.txt > > A new version of Internet-Draft > draft-guo-ipsecme-ikev2-using-shangmi-00.txt > has been successfully submitted by Liang Xia and posted to the IETF repository. > > Name: draft-guo-ipsecme-ikev2-using-shangmi > Revision: 00 > Title: Using ShangMi in the Internet Key Exchange Protocol Version 2 (IKEv2) > Date: 2024-01-29 > Group: Individual Submission > Pages: 14 > URL: https://www.ietf.org/archive/id/draft-guo-ipsecme-ikev2-using-shangmi-00.txt > Status: https://datatracker.ietf.org/doc/draft-guo-ipsecme-ikev2-using-shangmi/ > HTMLized: > https://datatracker.ietf.org/doc/html/draft-guo-ipsecme-ikev2-using-sh > angmi > > > Abstract: > > This document defines a set of cryptographic transforms for using in > the Internet Key Exchange Protocol version 2 (IKEv2). The transforms > are based on Chinese cryptographic standard algorithms (called > "ShangMi" or “SM” algorithms). > > The use of these algorithms with IKEv2 is not endorsed by the IETF. > The SM algorithms are mandatory in China, so this document provides a > description of how to use the SM algorithms with IKEv2 and specifies > a set of cryptographic transforms so that implementers can produce > interworking implementations. > > > > The IETF Secretariat > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] New Version Notification for draft-gu… Xialiang(Frank, IP Security Standard)
- Re: [IPsec] New Version Notification for draft-gu… Paul Wouters
- [IPsec] 答复: New Version Notification for draft-gu… Xialiang(Frank, IP Security Standard)