Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
Shen Sean <sean.s.shen@gmail.com> Thu, 22 October 2009 01:22 UTC
Return-Path: <sean.s.shen@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1BFDD3A68D6 for <ipsec@core3.amsl.com>; Wed, 21 Oct 2009 18:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.808
X-Spam-Level:
X-Spam-Status: No, score=-1.808 tagged_above=-999 required=5 tests=[AWL=0.790, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swhfBPFK9VFK for <ipsec@core3.amsl.com>; Wed, 21 Oct 2009 18:22:26 -0700 (PDT)
Received: from mail-px0-f183.google.com (mail-px0-f183.google.com [209.85.216.183]) by core3.amsl.com (Postfix) with ESMTP id 1446A3A68D3 for <ipsec@ietf.org>; Wed, 21 Oct 2009 18:22:26 -0700 (PDT)
Received: by pxi13 with SMTP id 13so5793162pxi.32 for <ipsec@ietf.org>; Wed, 21 Oct 2009 18:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=cU7D/EWKew0mE7eTomM3EDIIGEU9ETsedXGoxpu3cSI=; b=QGHfs0/4lnK2jSkhGCIYDDlLg5Rr4F6y6BrmFs1pKXbR0oNoKyVKcrbK23PByz0mTY +LfsrjUHnwNdbEVt1mmct4CP1RFAMSSV9+4sUcOq3zd1uyHEN/4aF7pvxoOtOf+ms1Cl HgsaIXP9/6KW0vrYoX/j2dpHKp+LhpylqFTTc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HVsroTyMa11AFEP7Ffu2WGWJSVhVtfxXeg5RjsXD6W061AjWZrh+PmN4ytNs46EY/1 i+b/KRL2oM5xRbQcC3NDEqXhGSmpTKeIHo/y3r54b7CYEBkaaE+UeuBllAXc1M7P8vRh Pz95pwNoIpat8f4ZHpRHZuw82x8LJWOmONlwc=
MIME-Version: 1.0
Received: by 10.115.39.8 with SMTP id r8mr9306069waj.104.1256174551658; Wed, 21 Oct 2009 18:22:31 -0700 (PDT)
In-Reply-To: <19165.32194.275245.431639@fireball.kivinen.iki.fi>
References: <200910131509.RAA22549@TR-Sys.de> <80b5a9190910190108t46e6c862s9f8c48895e5b3851@mail.gmail.com> <19165.32194.275245.431639@fireball.kivinen.iki.fi>
Date: Thu, 22 Oct 2009 09:22:31 +0800
Message-ID: <80b5a9190910211822j407a58fbo6872025d4f488bc2@mail.gmail.com>
From: Shen Sean <sean.s.shen@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="0016e64c2652ed70ce04767bed29"
Cc: ipsec@ietf.org, Alfred HÎnes <ah@tr-sys.de>, draft-ietf-ipsecme-aes-ctr-ikev2@tools.ietf.org
Subject: Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-ikev2-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 01:22:27 -0000
2009/10/20 Tero Kivinen <kivinen@iki.fi> > Shen Sean writes: > > (3) Section 2 (and ff.) > ... > > The number of (internal) rounds is totally irrelevant for the > > application of the AES. Any attempt to mangle with this 'parameter' > > would raise significant security concerns and conformance issues. > > I strongly request to elide all mention of "rounds" from the draft. > > I agree on that. In most cases the AES is implemented as part of > cryptographic library or hardware, and for those you usually just > indicate the key length to be used and that automatically selects the > number of rounds. > > > [Sean] The intention of such a document is to give what a IKEv2 product > > MUST/SHOULD/MAY provide. A user may not have "choices" of rounds or size, > > but a vendor need to know what to provide. > > Usually even the vendor does not have choice, or even possibility to > change the number of rounds, as that is hidden inside cryptographic > library. [Sean] I have no doubt that most users or vendors won't bother to choose or change what's already in crypto lib. But, a standard related document is responsible to clearly state what are necessary for a product, in this case, the basic characteristics of AES-CTR, even though some of these seems obvious. I remmeber the very early version of this document does not include rounds stuff, but eventually we added it based on reviewers' comments and requests. > > > (15) Section 7 > > > > I suggest to more clearly indicate what this draft is expecting IANA > > to do: adding a reference to this memo for an existing registration. > > > > | IANA has assigned 13 as the transform ID for ENCR_AES_CTR encryption > > | with an explicit IV. This ID is to be used during IKE_SA > > | negotiation. > > --- > > | Per [RFC3686], IANA has assigned 13 as the "IKEv2 Encryption > > | Transform ID" to the name "ENCR_AES_CTR" for AES-CTR encryption with > > | an explicit IV, in the IANA "Internet Key Exchange Version 2 (IKEv2) > > | Parameters" registry. This document specifies how to use this > > | transform during IKE_SA negotiations. Hence IANA should add to that > > | entry a reference to this RFC. > > [Sean] It's a good point, but for IANA's reference to this document, I > > assume iana will updated their reference (following some rocedure?) when > > this document is processed. Let me know if we have to request it in the > > draft. > > I would not count on that. For example IANA didn't update the > ENCR_AES-CCM_* or AES_GCM with a * octect ICV references for the > RFC5282 automatically, so better add text there. [Sean] The last time I check iana's ikev2 parameters, the parameters was "last updated 2009-09-21". Seems they missed what you mentioned above. So I will add a request for reference. Best, Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Shen Sean
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Paul Koning
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Tero Kivinen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Sean Shen
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes
- Re: [IPsec] review of draft-ietf-ipsecme-aes-ctr-… Alfred Hönes