Re: [IPsec] draft-fluhrer-qr-ikev2-01
"Valery Smyslov" <svanru@gmail.com> Sat, 20 February 2016 16:42 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0E81A8981 for <ipsec@ietfa.amsl.com>; Sat, 20 Feb 2016 08:42:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.15
X-Spam-Level: ***
X-Spam-Status: No, score=3.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_CHARSET_FARAWAY=2.45, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1BNNghguvlC for <ipsec@ietfa.amsl.com>; Sat, 20 Feb 2016 08:42:52 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C94BE1A8958 for <ipsec@ietf.org>; Sat, 20 Feb 2016 08:42:51 -0800 (PST)
Received: by mail-lb0-x22f.google.com with SMTP id bc4so62547832lbc.2 for <ipsec@ietf.org>; Sat, 20 Feb 2016 08:42:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-type:content-transfer-encoding:importance; bh=UIsL9D+w441zYOP7M16BFejTblx28QgqJYs8PtKCe9E=; b=yc1MHkP/P09nozdf6y7DbIgv7NfqGr9czkfEof8yaIhrKCl2TlbK/NSjf1Eandudpp kMoTFSCKhxCoCV5DVRyhAgbsvBR70GwuNoDVefAdWttBSP4bYiQdcWqY/i0Svmekk8HZ 2wFAegTcosXGmfpvBz0UvW8ztRb87KZ8kNc8n3Z0AzzFvLELcmZXKTp3dQm9UtCHrUX0 D4HlwimvxIaa0V4k3H6nku89dOmkaG0gvAUlclwqvDw8lZEG0GYShuNwH46p3YfWYx6E B5nWr6QeIS5BH2YHoonXgcPbc3RNoH9PfSgI9zaTiQ2iykp65juCNVelAMKtY0DFk+I5 ZKgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-type:content-transfer-encoding :importance; bh=UIsL9D+w441zYOP7M16BFejTblx28QgqJYs8PtKCe9E=; b=CJg2x4zOHEwomagMDJ1588TU5MkrnkflKPoyg7cCBw+RpkMox4+D1zOFovtz1f56YL ycIoJAdDEMDpp1C4P6gIC8/CJ+c4QnIVj2BNhFyt5qJVPG4083Y8Ygt7SI9gfb4C5Uk1 8oHfBVpGcZCOKiHdF5kweWe2WYkAHVsqXM2et1hZrMwaze/dcrfS2tbs1U0kZc8IErZs JYvU1P4QQSfUNh5cFNoz1Wp5htFVzPoTxdBBA58b/5BlQ2DYFv4BfSG3zuOzTHhGZ2jT xVq+KRkXFQftciZ3iUi3dKkCCwfnE4rfoi9h+6Q8JbdWgsJuzrnFWL8N/5dbZTa4Imkp z2Rw==
X-Gm-Message-State: AG10YOSvCZi+ct1PbxJNszMH8lqsihyPcQWTGht+kyN688VXz2pcDiZj3FOHTet6M2QHYA==
X-Received: by 10.112.77.138 with SMTP id s10mr6299402lbw.125.1455986570054; Sat, 20 Feb 2016 08:42:50 -0800 (PST)
Received: from chichi (ppp85-140-202-132.pppoe.mtu-net.ru. [85.140.202.132]) by smtp.gmail.com with ESMTPSA id td7sm2164327lbb.6.2016.02.20.08.42.48 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 20 Feb 2016 08:42:49 -0800 (PST)
Message-ID: <C026CEA5C8A649B9874A164896A38E6F@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <46cc66173e324ae0b788f36cd58f5dfa@XCH-RCD-006.cisco.com> <81FF76AD3936477D913A27BED694E464@buildpc> <85BF557F-8A66-405E-B879-E02A01EBA365@vpnc.org>
In-Reply-To: <85BF557F-8A66-405E-B879-E02A01EBA365@vpnc.org>
Date: Sat, 20 Feb 2016 19:42:42 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="koi8-r"; reply-type="response"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/r2xQQQAsyvp1GtVIpLO5dEuqlaw>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 16:42:54 -0000
Hi Paul, there is no heuristics in my proposal. The initiator's SA payload contains all PRFs it supports. The responder can pick up any of them and be sure that the chosen PRF is supported by initiator. It is a native negotiation mechanism of IKEv2. And note that DDoS protection draft uses exactly the same mechanism. And I never said that support for AES will be removed. I meant that there are some alternatives for AES (like Chacha20), which are not supported in hardware. Moreover, if (for example) SHA2 is supported in hardware tomorrow, then there will be no perfirmance advantages in using AES. What about the registries - I just follow Occam's razor principle. Regards, Valery. -----Original Message----- From: Paul Hoffman Date: 20 февраля 2016 г. 18:12 To: Valery Smyslov Cc: ipsec@ietf.org Subject: Re: [IPsec] draft-fluhrer-qr-ikev2-01 <no hat> Your proposal of using heuristics from the SA payload instead of using a new registry seems like a bad tradeoff. It costs nothing to create a new registry. Further, the code that implementers need to write to use the new registered value is smaller *and more definitive* than the code needed to use your proposed heuristics. As for your prediction that AES support might be removed from some CPUs in the future: that seems particularly unlikely. Basically, you never see CPU features removed from a product line. You sometimes see new families of low-end CPUs designed without all the features of current CPUs, but even that would not be a negative here. Further, if we need algorithms beyond AES in the future, it seems really likely that a competition for a replacement would favor one that could re-use the AES support in current chips. I think a small registry for the (hopefully) few developers who care about QR a decade before anyone thinks there is any possibility of its use is a reasonable way forward. --Paul Hoffman
- [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Hoffman
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Michael Richardson
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Michael Richardson
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov