Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
Tero Kivinen <kivinen@iki.fi> Wed, 07 November 2012 19:13 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EDF821F8BE1 for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 11:13:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPvasEcuLUYg for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 11:13:14 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 300F121F8A0C for <ipsec@ietf.org>; Wed, 7 Nov 2012 11:13:13 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qA7JCmoK000414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Nov 2012 21:12:48 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qA7JCmZA012948; Wed, 7 Nov 2012 21:12:48 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20634.45743.909055.939291@fireball.kivinen.iki.fi>
Date: Wed, 07 Nov 2012 21:12:47 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Johannes Merkle <johannes.merkle@secunet.com>
In-Reply-To: <509AA6B9.9040309@secunet.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F507F6B@xmb-rcd-x04.cisco.com> <509AA6B9.9040309@secunet.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 10 min
X-Total-Time: 10 min
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <Manfred.Lochter@bsi.bund.de>, "David McGrew (mcgrew)" <mcgrew@cisco.com>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 19:13:15 -0000
Johannes Merkle writes: > I see your point, but I am not sure, if it is good to maintain a > limitation of the previous RFCs for the new curves as > well. At least not, if we agree that point compression is a > reasonable feature (which is still discussed below). Every single option adds complexity, so I do not think we should add more optional things. > If using certificate-based authentication, probably the largest > payload is the CERT. It contains a public key and a signature, > which, when using the same curve as for KE, are (together) 3-4 times > larger than a compressed KE payload. In addition, some smaller data > fields as the DNs, algorithm identifiers, validity, serial, and some > ASN.1 overhead. But according to RFC 5480 one can use point > compression for the public key contained in the certificate as well, > which means that the implementation must be able to handle this > anyway. You can replace X.509 cert in CERT payload with hash and url, which will make the payload to be around 60 bytes or so depending on the length of the url used (5 bytes for header + 20 bytes for hash, and 29 bytes for url in format of "http://123.123.123.123:1234/"). Bit more if the URL has IPv6 address. > I agree with you that the saving is small, but from what I have > heard about constrained environment, even a saving below 10% can be > desirable. Not sending the CERT, but replacing it with hash and url offers much bigger savings, and people are not even doing that. > > More importantly, the TLS ECC RFC allows the > > negotiation of supported point formats; only uncompressed format is a > > MUST-implement (see Section 5.1.2 of RFC4492). > > That is a good point, but unfortunately in IKE, KE methods are not > negotiated at all. This is not only an special issue for ECC or > point compression. If the other peer does not understand the curve > you are using or ECC at all, that you end up in INVALID_KE_PAYLOAD > notification and have to re-try. Note, that negotiating the use of point compression without retry or not would waste more bytes then the point compression saves... The KE payload is in the first packet, which means that to be able to negotiate it beforehand would require one extra roundtrip. The IKEv2 headers + notify payloads etc would be 2 * (28 + 8 bytes) = 72 bytes which is already quite big EC key Y part... > Yes, introducing point compression doubles the number of new > possibilities to choose from: 8 instead of 4 in the case of the 4 > groups defined in the draft. But this number is still moderate. I would prefer not to do that. > As to the definition of separate transform IDs, I don't understand, > why only this should allow point compression to be optional. The > transform Id serves for identifying the group. The encoding > (compressed or uncompressed) can be determined from the length of > the KE payload and the group. If I remember right the reason IKEv2 does not use point compression for the current groups was that there was some IPR. Is that issue already been cleared? -- kivinen@iki.fi
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Derek Atkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov