Re: [IPsec] Comments about draft-ietf-ipsecme-implicit-iv-02
Daniel Migault <daniel.migault@ericsson.com> Thu, 10 May 2018 16:53 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97562126B72; Thu, 10 May 2018 09:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vlci0wi_blRB; Thu, 10 May 2018 09:53:19 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090D412D88A; Thu, 10 May 2018 09:53:09 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id b18-v6so3241679lfa.9; Thu, 10 May 2018 09:53:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=REI5Eu2trYIGpk7wMQf5Llcsp7xIapUk0dSXUojjBtc=; b=pSisYvQUDMkTZq457Lago8G0gF0GDuwVXH3BNE93XZuJspFYLkFvR/tm/mgetJ39rc JaUw1atbLoiaxO7yAKjEQsCxk7hsxeNI0u1Uqxgm+aFS7JX2hqaCwEKyn+Pv8WJFaXPE hAdeuzBLf1MPEVquRO87hfGANLfFpxg3RmaBik8C6ddpxXNpmHLusBkO1l/OTbFmyW8K gmCtJ+G03i+ofry/D8AOINfve68k7P1j1vT68hKZX+L65iqBKvxZOv2PEEIofRBeAvyA 5P1riLFPkDTPniBnucYDskCkVy/ef6HMgRkTRN2LmLFb8+R9S7g/OA2BO2cQx05wb57/ nyRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=REI5Eu2trYIGpk7wMQf5Llcsp7xIapUk0dSXUojjBtc=; b=sy0PZvrNtAtmXKFk407VR5hq2l9LhkFD7HMqYjD6dbL2B77gcqKzqeHe7kGQXRw93f 8kmqInO5gxXA3sB9yNOGyGHxn3TsX7qyUVI1593lb53GY9s925wCICAFVLATvGrd5QL2 txiAXUXij/IdGpwgh5N5mLhEamTvubr916/OmaVvcwD/HQRXOTPF+EHnbP0A7ylATete S95gEazTF34ZAbpZfQuz/cm/at0KPw5sr34mkCZBnsldfWRMmPTZGjXDlHHJLuocZ08f bCIoaEctREODd2VN4DAOSbOkXa7BuwzhaGimKil3VvwYj2DYu9snkc7HuxGkkV/ezizD LkCg==
X-Gm-Message-State: ALKqPwf1Ut+9viCbVGA3hz1povPj+QOhtrvLb/EhPJYd+yVGNcoyf1aT xx+3crDveMUJfMDp7RF/fkQorIIpQcJRakBDSTo=
X-Google-Smtp-Source: AB8JxZpIVUE0Sar7eLngnqfGMi6ceahfpdF5lWt/XEPqPptStVQaAX1aDbIR2ry6UhbgQgYm3zeNeeg2LLzjZKFbWFI=
X-Received: by 2002:a19:c6c1:: with SMTP id w184-v6mr1508659lff.126.1525971185930; Thu, 10 May 2018 09:53:05 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.46.20.73 with HTTP; Thu, 10 May 2018 09:53:05 -0700 (PDT)
In-Reply-To: <23284.23787.935682.175733@fireball.acr.fi>
References: <23239.54227.814560.228778@fireball.acr.fi> <CADZyTkmO32wVS7MoP=RsnH5KAZ68yMBCw0WT5vhmGziuDA6s1Q@mail.gmail.com> <23284.23787.935682.175733@fireball.acr.fi>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 10 May 2018 12:53:05 -0400
X-Google-Sender-Auth: NRbBCs2qWPPQZzIyfpSXDQ_iMZI
Message-ID: <CADZyTkmp_rBwkE14PyvPAwQT7L=kba8dKzuvBB6P0qEqDJTbmw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: IPsecME WG <ipsec@ietf.org>, draft-ietf-ipsecme-implicit-iv@ietf.org
Content-Type: multipart/alternative; boundary="00000000000079950d056bdcda7c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wStMa2AT1hdH71zUJ949VbDdIZQ>
Subject: Re: [IPsec] Comments about draft-ietf-ipsecme-implicit-iv-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 16:53:21 -0000
Hi Tero, Thanks for the response. Version 4 of the draft has been updated with this alternative. Yours, Daniel On Thu, May 10, 2018 at 10:53 AM, Tero Kivinen <kivinen@iki.fi> wrote: > Daniel Migault writes: > > another alternative could be: > > > > As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are > > used, Implicit IV as described in this document MUST NOT be used in > > setups with the chance that the Sequence Number overlaps for one SA. > > Multicast as described in [RFC5374], [RFC6407] and > > [I-D.yeung-g-ikev2] is a prominent example, where many senders share > > one secret and thus one SA. As > > such, it is NOT RECOMMENDED to use Implicit IV with Multicast. > > I would actually prefer to this. I think it is better to say don't do > it, than provide ways it could be done before saying don't do it.... > > I.e., if someone is interested in this then we need to write new > specification that will specify how it is done, so there is no point > of speculating here what it could be. > -- > kivinen@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Comments about draft-ietf-ipsecme-implici… Tero Kivinen
- Re: [IPsec] Comments about draft-ietf-ipsecme-imp… Daniel Migault
- Re: [IPsec] Comments about draft-ietf-ipsecme-imp… Tero Kivinen
- Re: [IPsec] Comments about draft-ietf-ipsecme-imp… Daniel Migault