Comments on ESP and AH IPSEC drafts.

Rob Adams <adams@cisco.com> Thu, 26 September 1996 22:14 UTC

Received: from cnri by ietf.org id aa20662; 26 Sep 96 18:14 EDT
Received: from neptune.hq.tis.com by CNRI.Reston.VA.US id aa29476; 26 Sep 96 18:14 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa11887; 26 Sep 96 17:47 EDT
Received: from relay.hq.tis.com by neptune.TIS.COM id aa11872; 26 Sep 96 17:40 EDT
Received: by relay.hq.tis.com; id RAA10327; Thu, 26 Sep 1996 17:44:08 -0400
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma010311; Thu, 26 Sep 96 17:43:39 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA26097; Thu, 26 Sep 96 17:45:52 EDT
Received: by relay.hq.tis.com; id RAA10308; Thu, 26 Sep 1996 17:43:38 -0400
Received: from hq.cisco.com(161.44.72.2) by relay.tis.com via smap (V3.1.1) id xma010306; Thu, 26 Sep 96 17:43:28 -0400
Received: from 161.44.128.127 ([161.44.128.127]) by HQ.CISCO.COM via INTERNET ; Thu, 26 Sep 1996 14:45:25 PDT
Date: Thu, 26 Sep 1996 14:44:01 -0000
From: Rob Adams <adams@cisco.com>
Message-Id: <19960926144401adams@161.44.128.127>
To: ipsec@tis.com
Subject: Comments on ESP and AH IPSEC drafts.
X-Mailer: Pronto Mail [tgv Ver 2.03]
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

After implementing the IPSEC AH and ESP transforms, I have a few
comments I'd like to make on the drafts.  Most of the comments I have 
concern the performance of the transforms. Although I've achieved 
performance numbers which are better than my expectations, there is 
always room for improvement.   Also, the more closely the transforms 
perform to clear packets, the faster people will adopt IPSEC in general, 
obviously. 


ESP Draft (draft-ipsec-esp-des-md5-03.txt Sept 96):

Section 2.2: Initialization Vector.

I think including an IV in the packet should constitute a separate 
transform with a unique IANA designation.   Optional fields slow 
performance and in this case, the keying material and caching information 
are different even though most of the actual operation is substantially 
the same.  A separate transform designation would allow implementations 
treat the packets differently, to store cached information differently 
and process packets uniformly without in-line testing.   Implementations 
could achieve the same effect by sub-categorizing transform designations 
on their own, however a separate designation would allow the transforms to 
diverge in order to support hardware assist (original intention) and to 
simplify SA negotiation for transforms without the IV. 

Section 2.3: Replay Prevention.

I don't see the purpose of negotiated window sizes unless there is some 
vulnerability in accepting out of order packets.  I don't know of any such 
vulnerabilities but if there are, it would be nice if they were called out 
in the draft.   If there are no such vulnerabilities, then why would I ever 
want to NOT support receiving packets out of order if my implementation 
supports a sliding window?  If I'm communicating with a host that does not 
have a window, I'll be re-transmitting a lot of packets but there is no 
reason for me not to accept packets out of order.   This seems like an 
implementation detail not to be negotiated. 


Section 2.5: Padding.

I would like to suggest placing the Payload Type, Pad Length and padding 
fields before the payload data.   Stop laughing.   After having implemented 
this, I can say that it would be a heck of a lot more efficient and 
therefore, perform better, if I didn't have to walk an MBUF chain twice to 
remove padding.  You have to do this twice because you have to go to the 
end first to get the length of the padding.   Since the padding could be 
spread out of a variable number of buffers behind you, you have to start at 
the head again and walk down until you find the buffer containing 
packet[length-pad], and free from there.  Chopping the data off the head of 
the buffer chain would save this walk and some hairy math to crop the right 
size of data off the end. 

The HMAC data at the end isn't as much of a problem because you can 
find it on the first pass.  Placing it at the head however would remove the 
buffer chain walk completely.    I don't know if this is enough of a win to 
change its location, considering the buffer would have to zero'd as is 
the case with AH.    



AH Draft (draft-ietf-ipsec-ah-hmac-md5-02.txt Aug 96) 

Section 2.1: Replay Prevention.

The replay field, as described, is NOT similar to the replay field 
described in the document ESP-DES-MD5 document.  ESP-DES-MD5 contains only 
a 32 bit field while this document calls for a 64 bit field.  Also, the 
paragraph concerning the key lifetime not exceeding the period to transmit 
2^64 packets contradicts other statement made in document. The section on 
keys states, "Thus implementations should, and as frequently as possible, 
change the AH key."  It seems a 32 bit replay field would be more in line 
with key refresh needs.    If we agree to a 64 bit field for easier support 
on 64 bit architectures, it may be wise to support using only 32 bits for 
key refresh purposes anyway.  

Also, for performance sake, could we make the field non-optional?  If the 
key negotiation determines the parties not do replay detection, the field 
should still exist, left untested.  This would fix the overhead of the 
header and reduce testing and gyrations around optional fields in the 
middle of the header.   If it is truly to be optional, lets move it to 
after the authentication data. 

As an overall comment, the AH document does not include varied keys for 
initiator and responder as the ESP document does.   Shouldn't we vary 
the keys in the same manner? 


Comments anyone?

------------------------------------------------
Rob Adams                       adams@cisco.com
Cisco Systems                   408 457 5200
101 Cooper St.
Santa Cruz, CA 95060