IETF Logo Mail Archive

Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-chacha20-poly1305-11: (with COMMENT)

Yoav Nir <ynir.ietf@gmail.com> Thu, 09 July 2015 07:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612E21ACC85; Thu, 9 Jul 2015 00:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o_zigV3v9d_a; Thu, 9 Jul 2015 00:51:41 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82D21ACC83; Thu, 9 Jul 2015 00:51:40 -0700 (PDT)
Received: by wgov12 with SMTP id v12so31206140wgo.1; Thu, 09 Jul 2015 00:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EQcWw8xrAQzFrpVeOihqeS/cmHfaIgLHCjC79M5FrGw=; b=DvwLjAePu/zJTyuFp1VmISp6uzFv4Aep7MJE3UOLXueki/dOBQAfQE3YjuVxLEwZKk h7mH3aiS/2Sne8XRD+o2Vppquy6a8c6M4ttoSu2rqIhN4RQIs54vHiQ2PVLPNcjS+7oT QfnfG3iu5k+7ZYVp2nnwl4wIQ1w6PooYycl7ulw7sCRsXKAXCnTccQOgk4wrWHvKlhH0 mX19V+eT8afe5OZDFPil9T0/ax7dw9kky6f6hdBw8PWn2cgtBWziFEdBsn/6qHBx8fSq WOEcoXaQxi5l3IGIxma9k0Y8uBU432vuArwm49G5uqtK/oJREkfvf9gNOFiBgLHVzmsR s1fw==
X-Received: by 10.180.11.105 with SMTP id p9mr3997912wib.79.1436428298817; Thu, 09 Jul 2015 00:51:38 -0700 (PDT)
Received: from [172.24.250.202] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id pd7sm7358184wjb.27.2015.07.09.00.51.36 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 09 Jul 2015 00:51:38 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <559D2B09.7060909@cs.tcd.ie>
Date: Thu, 09 Jul 2015 10:51:35 +0300
Content-Transfer-Encoding: 7bit
Message-Id: <69B0584C-54F3-42FF-935C-D76D96DD1699@gmail.com>
References: <20150707231501.2664.3995.idtracker@ietfa.amsl.com> <B7841E74-01F5-4E8F-A74F-3408F78DF10A@gmail.com> <559CCED6.3050403@cs.tcd.ie> <6D8B7104-F696-47EA-ABA1-9634B97B2184@nohats.ca> <559D2B09.7060909@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ujSbkqovX0gbearbb0KqPrQMtuU>
Cc: "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "draft-ietf-ipsecme-chacha20-poly1305@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "ipsec@ietf.org" <ipsec@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ipsecme-chacha20-poly1305.ad@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305.ad@ietf.org>, Paul Wouters <paul@nohats.ca>, "draft-ietf-ipsecme-chacha20-poly1305.shepherd@ietf.org" <draft-ietf-ipsecme-chacha20-poly1305.shepherd@ietf.org>
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-chacha20-poly1305-11: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 07:51:42 -0000

So, how about replacing the first two paragraphs?

OLD:
   The Advanced Encryption Standard (AES - [FIPS-197]) has become the
   gold standard in encryption.  Its efficient design, wide
   implementation, and hardware support allow for high performance in
   many areas, including IPsec VPNs.  On most modern platforms, AES is
   anywhere from 4x to 10x as fast as the previous most-used cipher,
   3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also has a
   64-bit block, which means that the amount of data that can be
   encrypted before rekeying is required is not great.  These reasons
   make AES not only the best choice, but the only choice.

   The problem is that if future advances in cryptanalysis reveal a
   weakness in AES, VPN users will be in an unenviable position.  With
   the only other widely supported cipher being the much slower 3DES, it
   is not feasible to re-configure IPsec installations away from AES.
   [standby-cipher] describes this issue and the need for a standby
   cipher in greater detail.

NEW:
   The Advanced Encryption Standard (AES - [FIPS-197]) has become the
   go-to algorithm for encryption.  It is now the most commonly used 
   algorithm in many areas, including IPsec virtual private networks
   (VPN).  On most modern platforms AES is anywhere from 4x to 10x as 
   fast as the previous popular cipher, 3-key Data Encryption Standard 
   (3DES - [SP800-67]). 3DES also uses a 64-bit block, which means that 
   the amount of data that can be encrypted before rekeying is required 
   is limited. These reasons make AES not only the best choice, but the 
   only viable choice for IPsec.
   
   The problem is that if future advances in cryptanalysis reveal a
   weakness in AES, VPN users will be in an unenviable position.  With
   the only other widely supported cipher for IPsec implementations 
   being the much slower 3DES, it is not feasible to re-configure IPsec 
   installations away from AES. [standby-cipher] describes this issue 
   and the need for a standby cipher in greater detail.


Yoav

v2.23.0 | Report a Bug | By Email