[IPsec] Comments on draft-ietf-ipsecme-implicit-iv
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sun, 25 March 2018 18:10 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62947127337 for <ipsec@ietfa.amsl.com>; Sun, 25 Mar 2018 11:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiieVUYh6Xaj for <ipsec@ietfa.amsl.com>; Sun, 25 Mar 2018 11:10:37 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44A31124BFA for <ipsec@ietf.org>; Sun, 25 Mar 2018 11:10:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8685; q=dns/txt; s=iport; t=1522001437; x=1523211037; h=from:to:subject:date:message-id:mime-version; bh=+XvrDA2I9rtouclNSCAgxpDO2HoXLs+mDXpnhh5KyfM=; b=bKZ5hx6OLF0bzFhQkKTKBOmmHwDSRcjwGXyv5ZURQMb50O06yRM5DTA/ Ksni9oiKRWMkNnGbnwohh6i4kxJF5+tigZe3SkBSTBA/FhfPlxHB4uypl 9u0Xiaodono9vWM355z4v3uPrKl0cnnrJrihBzXDBFNLxy0DjBt9pRItO Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAQCU5Lda/51dJa1eGQEBAQEBAQEBAQEBAQcBAQEBAYJNdGFwMotSjQ2DBY1shGWCBguIdyE0GAECAQEBAQEBAmsohVleAYEAJgEEG4QiZK0YiD+CGodYgVRAiF+FfAOXPwgCgTGMdoxBj08CERMBgSQBHDiBUnAVOoJEgiAYjheFeYEvgRcBAQ
X-IronPort-AV: E=Sophos; i="5.48,361,1517875200"; d="scan'208,217"; a="89213586"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Mar 2018 18:10:36 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w2PIAZUw011714 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <ipsec@ietf.org>; Sun, 25 Mar 2018 18:10:35 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Sun, 25 Mar 2018 14:10:35 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Sun, 25 Mar 2018 14:10:34 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "IPsecme WG (ipsec@ietf.org)" <ipsec@ietf.org>
Thread-Topic: Comments on draft-ietf-ipsecme-implicit-iv
Thread-Index: AdPEYabaslSsDVKJSGW5Eb13uZxLnQ==
Date: Sun, 25 Mar 2018 18:10:34 +0000
Message-ID: <4c9091a6469945478d0fbce30447da94@XCH-RTP-006.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.53]
Content-Type: multipart/alternative; boundary="_000_4c9091a6469945478d0fbce30447da94XCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mwmDyrJuSi2yC13rn9eBRm1eJZ8>
Subject: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Mar 2018 18:10:39 -0000
- Section 4: "Section 3.5 of [RFC6407] explains how repetition MAY BE prevented by using a prefix for each group member" Actually, RFC6407 just refers to RFC6054; that has the SID in the top 8 bits of the 8 byte sequence number. Used literally, this doesn't work, as the top 8 bits of the 8 byte sequence number are never expressed in the packet in implicit-iv. You could put them in the top 8 bits of the 4 byte sequence number (which means you can't use ESN, but it didn't work in the multisender case anyways), but that would mean that each sender would be limited to 16M packets. I believe that these details are distinct enough that (if this is considered a viable alternative) they should be explicitly listed (including the 16M packet restriction). Alternatively, we can just forbid this transform in the multisender case. - Section 6: "The rules of SA payload processing ensure that the responder will never send an SA payload containing the IIV indicator to an initiator that does not support IIV" I believe that this is stale text; the current draft doesn't use an indicator; instead, it defines separate transforms IDs. - Section 8 has "AES-CTR ... [is] likely to implement the implicit IV described in this document"; however the transform ENCR_AES_CTR_IIV is not defined. Is this intended? Should we either remove the AES-CTR algorithm from the list of "likely to implement", or should we actually define the transform id for it?
- [IPsec] Comments on draft-ietf-ipsecme-implicit-iv Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Daniel Migault
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Daniel Migault