IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Tero Kivinen <kivinen@iki.fi> Wed, 07 November 2012 19:13 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EDF821F8BE1 for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 11:13:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPvasEcuLUYg for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 11:13:14 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 300F121F8A0C for <ipsec@ietf.org>; Wed, 7 Nov 2012 11:13:13 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qA7JCmoK000414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Nov 2012 21:12:48 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qA7JCmZA012948; Wed, 7 Nov 2012 21:12:48 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20634.45743.909055.939291@fireball.kivinen.iki.fi>
Date: Wed, 07 Nov 2012 21:12:47 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Johannes Merkle <johannes.merkle@secunet.com>
In-Reply-To: <509AA6B9.9040309@secunet.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F507F6B@xmb-rcd-x04.cisco.com> <509AA6B9.9040309@secunet.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 10 min
X-Total-Time: 10 min
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <Manfred.Lochter@bsi.bund.de>, "David McGrew (mcgrew)" <mcgrew@cisco.com>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 19:13:15 -0000

Johannes Merkle writes:
> I see your point, but I am not sure, if it is good to maintain a
> limitation of the previous RFCs for the new curves as 
> well. At least not, if we agree that point compression is a
> reasonable feature (which is still discussed below). 

Every single option adds complexity, so I do not think we should add
more optional things. 

> If using certificate-based authentication, probably the largest
> payload is the CERT. It contains a public key and a signature,
> which, when using the same curve as for KE, are (together) 3-4 times
> larger than a compressed KE payload. In addition, some smaller data
> fields as the DNs, algorithm identifiers, validity, serial, and some
> ASN.1 overhead. But according to RFC 5480 one can use point
> compression for the public key contained in the certificate as well,
> which means that the implementation must be able to handle this
> anyway.

You can replace X.509 cert in CERT payload with hash and url, which
will make the payload to be around 60 bytes or so depending on the
length of the url used (5 bytes for header + 20 bytes for hash, and 29
bytes for url in format of "http://123.123.123.123:1234/"). Bit more
if the URL has IPv6 address.

> I agree with you that the saving is small, but from what I have
> heard about constrained environment, even a saving below 10% can be
> desirable.

Not sending the CERT, but replacing it with hash and url offers much
bigger savings, and people are not even doing that.

> > More importantly, the TLS ECC RFC allows the
> > negotiation of supported point formats; only uncompressed format is a
> > MUST-implement (see Section 5.1.2 of RFC4492).  
> 
> That is a good point, but unfortunately in IKE, KE methods are not
> negotiated at all. This is not only an special issue for ECC or
> point compression. If the other peer does not understand the curve
> you are using or ECC at all, that you end up in INVALID_KE_PAYLOAD
> notification and have to re-try.

Note, that negotiating the use of point compression without retry or
not would waste more bytes then the point compression saves... The KE
payload is in the first packet, which means that to be able to
negotiate it beforehand would require one extra roundtrip. The IKEv2
headers + notify payloads etc would be 2 * (28 + 8 bytes) = 72 bytes
which is already quite big EC key Y part... 

> Yes, introducing point compression doubles the number of new
> possibilities to choose from: 8 instead of 4 in the case of the 4
> groups defined in the draft. But this number is still moderate.

I would prefer not to do that.

> As to the definition of separate transform IDs, I don't understand,
> why only this should allow point compression to be optional. The
> transform Id serves for identifying the group. The encoding
> (compressed or uncompressed) can be determined from the length of
> the KE payload and the group.

If I remember right the reason IKEv2 does not use point compression
for the current groups was that there was some IPR. Is that issue
already been cleared?
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email