IETF Logo Mail Archive

Re: [IPsec] Please review draft-ietf-ipsecme-aes-ctr-ikev2-05.txt

Sean Shen 沈烁 <shenshuo@cnnic.cn> Mon, 08 March 2010 08:19 UTC

Return-Path: <shenshuo@cnnic.cn>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 959CF3A6781 for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 00:19:28 -0800 (PST)
X-Quarantine-ID: <6oxvc2SQqQNI>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, Duplicate header field: "Message-ID"
X-Spam-Flag: NO
X-Spam-Score: 3.42
X-Spam-Level: ***
X-Spam-Status: No, score=3.42 tagged_above=-999 required=5 tests=[AWL=2.502, BAYES_40=-0.185, MIME_8BIT_HEADER=0.3, MSGID_FROM_MTA_HEADER=0.803]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oxvc2SQqQNI for <ipsec@core3.amsl.com>; Mon, 8 Mar 2010 00:19:27 -0800 (PST)
Received: from cnnic.cn (smtp.cnnic.cn [159.226.7.146]) by core3.amsl.com (Postfix) with SMTP id 25EDE3A63EB for <ipsec@ietf.org>; Mon, 8 Mar 2010 00:19:26 -0800 (PST)
Received: (eyou send program); Mon, 08 Mar 2010 16:18:51 +0800
Message-ID: <468036331.20323@cnnic.cn>
Received: from unknown (HELO shen) (127.0.0.1) by 127.0.0.1 with SMTP; Mon, 08 Mar 2010 16:18:51 +0800
Message-ID: <00af01cabe97$f8de0740$cb7d2dc4@SHEN>
From: Sean Shen 沈烁 <shenshuo@cnnic.cn>
To: IPsecme WG <ipsec@ietf.org>
References: <p06240825c7b4519f594c@[10.20.30.158]> <467703256.20935@cnnic.cn>
Date: Mon, 08 Mar 2010 15:39:49 +0800
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3598
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Subject: Re: [IPsec] Please review draft-ietf-ipsecme-aes-ctr-ikev2-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 08:19:31 -0000

>   Security considerations explained in section 7 of [RFC3686] are
>   entirely relevant for this draft also.  The security considerations
>   on fresh keys and integrity protection in section 7 of [RFC3686] are
>   totally applicable on using AES-CTR in IKEv2; see [RFC3686] for
>   details.  Due to this reasons, static keys are never used for the IKE
>   SA and the IKE_SA always uses integrity protection.
> 
> The last paragraph is bit misleading, as there is no way static keys
> can be used in IKE SA at all, and this is not because of the issues of
> AES-CTR. Also integrity protection is already mandatory for IKEv2 IKE
> SA regardless whether AES-CTR is used or not. It would be better to
> replace the last sentence with:
> 
>   As static keys are never used in IKEv2 for IKE_SA and integrity
>   protection is mandatory for IKE_SA, these issues are not applicable
>   for AES-CTR in IKEv2 when protecting IKE_SA.

Agree, I will reword this part. 

Sean

v2.23.0 | Report a Bug | By Email