IETF Logo Mail Archive

Re: [IPsec] draft-ietf-ipsecme-implicit-iv-06 - key length is missing

"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 03 April 2019 05:52 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47CBD120395 for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2019 22:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlZ5uiC9P5pg for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2019 22:52:35 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9AA6120019 for <ipsec@ietf.org>; Tue, 2 Apr 2019 22:52:34 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id y7so19518430wrn.11 for <ipsec@ietf.org>; Tue, 02 Apr 2019 22:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=LglB1plUvRBzw7AnN6yyizaxUIyFqiihS8odtD3jmvg=; b=KkPxn9RIW/vxiqdEchESzYSJ7vbvDcSG9wgydBV9EGgnoToe8r7dopfhpbB5fgnTSm txJLE8Oowkm8NcL78kSVak2s57rwLyxo+4Vl7C7sYOTQMxZjXym7qWGYZjLKmey00nTw 8xhKtmjmOFILeWwzE48SK+azQTt9Fxv6MO8k+3KqFgalSgAF9SgAr0Yp6JHJMxzhHdDZ 0m/gAKpSo0ZHTg+ZOFN0Bk0Jldw1PM0xPFWbP5PiNTLhEdKyeSZq6+yhYn2OURAepHqt j5wz6FwAQul96sNVVMliZ9lCJJvtF8KexTl3a6v7tvQpLbXvnS/b7PAI+u1DIVWd7fxO c+hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=LglB1plUvRBzw7AnN6yyizaxUIyFqiihS8odtD3jmvg=; b=mccnfyLE1QJu2Rfubt3+/KBIeBgR/5Gf00I7Dg8GFFwAim4PG07amup9Sa2BvA3QEW 0XljB3TeFFvTjKQZrEFxrRqOKg8FlZq0EO+J0oqByt4wzp+XQ6AZ/Ynee915J9YLj9be 4zlpThUnJhexQNGWY7Apjijw07tp10f/9xTdjdFy9fW4v9+AEOzRhyO2/O8DWVzXxt7Q Ii11xr1W2tbOKBt5qh077EbpiCuHlqS3ZH/ozu3gdxcf4hVSk0Rjr6M03tUbU9dgJcQ+ IY+ZH0xjFjM9ulTDcdTWUX7UDBirTobQQvO7/tgaZWwXbyRd3H/qTBuAZqLCYgpp8qVd k3Kw==
X-Gm-Message-State: APjAAAUOTF1FEKI/TslYggFTknQfmo+qvLvJAuZhpceMskz6YCcCPQP3 3L5+7jAu8M4MCawFBeD3RMC/4tZc
X-Google-Smtp-Source: APXvYqz590zbdZkuPrY81VVb9HIHI/QLmZsyz2W0v+DAFFqTC8eRIG9WTWWR2LI7lSCwzJmqbYU3LQ==
X-Received: by 2002:a5d:6a08:: with SMTP id m8mr47135150wru.30.1554270752964; Tue, 02 Apr 2019 22:52:32 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id k14sm11619212wmj.26.2019.04.02.22.52.31 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 02 Apr 2019 22:52:32 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: 'IPsecME WG' <ipsec@ietf.org>
References: <010501d4e961$ddae8a90$990b9fb0$@gmail.com> <alpine.LRH.2.21.1904021250150.14241@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1904021250150.14241@bofh.nohats.ca>
Date: Wed, 03 Apr 2019 08:52:31 +0300
Message-ID: <018201d4e9e1$6e785400$4b68fc00$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH2Bk3AMgto0NN/T2TCjcWtr4PQxgGM/hO3pdtMsIA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/w6Sci2v-LPB3wYMfiKPoo7CRiQ0>
Subject: Re: [IPsec] draft-ietf-ipsecme-implicit-iv-06 - key length is missing
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 05:52:37 -0000

Hi Paul,

> > and define a default key length for the case when it is absent (e.g. 256 bits).
> 
> Do not do this. There are broken implementations and interop issues on
> this already by broken clients who don't send or omit to send KEY_LENGTH
> (old versions of us included).

I don't buy this argument. There will always be broken implementations
and implementers who don't read the documents. We cannot improve human being.

> > It'll allow us to save few bytes by omitting attribute for most common cases.
> 
> Not worth it.

I agree that the win is small, but we can get it for free.
After all, implicit IV is intended to be used in situations,
when extra bytes on wire are expensive, so making
IKE SA payload smaller for this particular transforms 
makes sense. But I definitely don't insist.

Regards,
Valery.

> Paul

v2.23.0 | Report a Bug | By Email