Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-chacha20-poly1305-11: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 09 July 2015 09:17 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 514041A88D0; Thu, 9 Jul 2015 02:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dn529-z8PzNV; Thu, 9 Jul 2015 02:17:54 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBA551A88C2; Thu, 9 Jul 2015 02:17:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3CDC9BE50; Thu, 9 Jul 2015 10:17:52 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1436433472; bh=OknbgJm0H7fQq0gywn0tRymL8JOUo3bOm86Oo7yPs9o=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=UQJZbAyzC8hEEDNt7XxCRc6LkuuuYtb4wyda+jCJ4x/ID0CWzYP4XC31ciGu6YjZo Bs8OpKOJnshBsgT+5vB+Co8QyUHipF0Gpgok/vs/MqAHYBCOgNTzQmsZKs6DKBo93h y42hX63XyEdtO29OzHKhseDTwCIo3YEriF26u4Aw=
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gvc6V1Hsmmwa; Thu, 9 Jul 2015 10:17:52 +0100 (IST)
Received: from [134.226.63.24] (cswireless63-24.scss.tcd.ie [134.226.63.24]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0785CBDF9; Thu, 9 Jul 2015 10:17:52 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1436433472; bh=OknbgJm0H7fQq0gywn0tRymL8JOUo3bOm86Oo7yPs9o=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=UQJZbAyzC8hEEDNt7XxCRc6LkuuuYtb4wyda+jCJ4x/ID0CWzYP4XC31ciGu6YjZo Bs8OpKOJnshBsgT+5vB+Co8QyUHipF0Gpgok/vs/MqAHYBCOgNTzQmsZKs6DKBo93h y42hX63XyEdtO29OzHKhseDTwCIo3YEriF26u4Aw=
Message-ID: <559E3C3F.6000609@cs.tcd.ie>
Date: Thu, 09 Jul 2015 10:17:51 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>
References: <20150707231501.2664.3995.idtracker@ietfa.amsl.com> <B7841E74-01F5-4E8F-A74F-3408F78DF10A@gmail.com> <559CCED6.3050403@cs.tcd.ie> <6D8B7104-F696-47EA-ABA1-9634B97B2184@nohats.ca> <559D2B09.7060909@cs.tcd.ie> <69B0584C-54F3-42FF-935C-D76D96DD1699@gmail.com>
In-Reply-To: <69B0584C-54F3-42FF-935C-D76D96DD1699@gmail.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/XNbNy3Oe5KN_iZfhFlpDIP7nrjQ>
Cc: "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "draft-ietf-ipsecme-chacha20-poly1305@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "ipsec@ietf.org" <ipsec@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ipsecme-chacha20-poly1305.ad@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305.ad@ietf.org>, Paul Wouters <paul@nohats.ca>, "draft-ietf-ipsecme-chacha20-poly1305.shepherd@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305.shepherd@ietf.org>
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-chacha20-poly1305-11: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 09:17:57 -0000
That change is really good thanks, S On 09/07/15 08:51, Yoav Nir wrote: > So, how about replacing the first two paragraphs? > > OLD: > The Advanced Encryption Standard (AES - [FIPS-197]) has become the > gold standard in encryption. Its efficient design, wide > implementation, and hardware support allow for high performance in > many areas, including IPsec VPNs. On most modern platforms, AES is > anywhere from 4x to 10x as fast as the previous most-used cipher, > 3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also has a > 64-bit block, which means that the amount of data that can be > encrypted before rekeying is required is not great. These reasons > make AES not only the best choice, but the only choice. > > The problem is that if future advances in cryptanalysis reveal a > weakness in AES, VPN users will be in an unenviable position. With > the only other widely supported cipher being the much slower 3DES, it > is not feasible to re-configure IPsec installations away from AES. > [standby-cipher] describes this issue and the need for a standby > cipher in greater detail. > > NEW: > The Advanced Encryption Standard (AES - [FIPS-197]) has become the > go-to algorithm for encryption. It is now the most commonly used > algorithm in many areas, including IPsec virtual private networks > (VPN). On most modern platforms AES is anywhere from 4x to 10x as > fast as the previous popular cipher, 3-key Data Encryption Standard > (3DES - [SP800-67]). 3DES also uses a 64-bit block, which means that > the amount of data that can be encrypted before rekeying is required > is limited. These reasons make AES not only the best choice, but the > only viable choice for IPsec. > > The problem is that if future advances in cryptanalysis reveal a > weakness in AES, VPN users will be in an unenviable position. With > the only other widely supported cipher for IPsec implementations > being the much slower 3DES, it is not feasible to re-configure IPsec > installations away from AES. [standby-cipher] describes this issue > and the need for a standby cipher in greater detail. > > > Yoav >
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Yoav Nir
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Paul Wouters
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Yoav Nir
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Stephen Farrell