[IPsec] Please review draft-ietf-ipsecme-aes-ctr-ikev2-05.txt
Tero Kivinen <kivinen@iki.fi> Thu, 04 March 2010 11:47 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BB593A8913 for <ipsec@core3.amsl.com>; Thu, 4 Mar 2010 03:47:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5VnhdGgRGRb for <ipsec@core3.amsl.com>; Thu, 4 Mar 2010 03:47:22 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 1299B3A863F for <ipsec@ietf.org>; Thu, 4 Mar 2010 03:47:21 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o24BlIku022491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 4 Mar 2010 13:47:18 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o24BlH0s019906; Thu, 4 Mar 2010 13:47:17 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19343.40389.179402.103424@fireball.kivinen.iki.fi>
Date: Thu, 04 Mar 2010 13:47:17 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240825c7b4519f594c@[10.20.30.158]>
References: <p06240825c7b4519f594c@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 6 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] Please review draft-ietf-ipsecme-aes-ctr-ikev2-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 11:47:23 -0000
Paul Hoffman writes: > Based on Pasi's AD review, the authors significantly shortened the > document. It seems prudent to have the WG review the new, shorter > version. In particular, it would be good for developers to look at > the new short document and see if it is complete enough to implement > from. > > This review cycle will end in a week, but please do the review early > in case problems are found. The draft looks good, but I would clarify the security considerations section a bit. Now it says: Security considerations explained in section 7 of [RFC3686] are entirely relevant for this draft also. The security considerations on fresh keys and integrity protection in section 7 of [RFC3686] are totally applicable on using AES-CTR in IKEv2; see [RFC3686] for details. Due to this reasons, static keys are never used for the IKE SA and the IKE_SA always uses integrity protection. The last paragraph is bit misleading, as there is no way static keys can be used in IKE SA at all, and this is not because of the issues of AES-CTR. Also integrity protection is already mandatory for IKEv2 IKE SA regardless whether AES-CTR is used or not. It would be better to replace the last sentence with: As static keys are never used in IKEv2 for IKE_SA and integrity protection is mandatory for IKE_SA, these issues are not applicable for AES-CTR in IKEv2 when protecting IKE_SA. -- kivinen@iki.fi
- [IPsec] Please review draft-ietf-ipsecme-aes-ctr-… Paul Hoffman
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Yoav Nir
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Raj Singh
- [IPsec] Please review draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Tero Kivinen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Scott C Moonen
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen 沈烁
- Re: [IPsec] Please review draft-ietf-ipsecme-aes-… Sean Shen 沈烁
- [IPsec] comments on draft-ietf-ipsecme-aes-ctr-ik… David McGrew
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Paul Hoffman
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Dan Harkins
- Re: [IPsec] comments on draft-ietf-ipsecme-aes-ct… Paul Hoffman