IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos

Nico Williams <nico@cryptonector.com> Fri, 13 January 2023 19:37 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2CB4C15E3FF for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:37:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZlfKZGvNJ2O for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:36:57 -0800 (PST)
Received: from crocodile.elm.relay.mailchannels.net (crocodile.elm.relay.mailchannels.net [23.83.212.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9202AC15257D for <kitten@ietf.org>; Fri, 13 Jan 2023 11:36:57 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 993F91016C2; Fri, 13 Jan 2023 19:36:56 +0000 (UTC)
Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1EBB61017A6; Fri, 13 Jan 2023 19:36:56 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1673638616; a=rsa-sha256; cv=none; b=KUjWCeBpMFEDEoh/rONiN8avtJ9d6lKHB3axSNs9LvvHEjhFJP1WqFOrgHbrCXVS2UlxTf Urwu8Ipj8VCTwA/S2uGOOuw+Bojpkzhdr+gz5oxUc18Bj0k9d4DpNP9l3mlVx+0Cernm+x j6KB5l1u/R5E3tnRiBeVxs11VOwPGpSesbUZjFeEaK8qLHd71hcmpJDASuBr/OgM6kVAJT kDsegXFk0KcijMWCDG4Lqq9QzdZBdjj3y9nqQfTPelfk3USuU9rZ30YHY++CtbvAWlNoUa 50bD/ZzO1/S054/sHB2ESVKNJYJtB5hkpvtFCit6puyV+GFmV/Uqd8rhflpaCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1673638616; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eLdNpLI2i9xGRvdA0FB7zZCK8SfWeR4AqAdNdVoxykM=; b=R1VcT554VsYDj/cwnGVTB3yB1gzQWXTcqfxuiGH63GKauLOBT4bf/S3n3PGotxByDUa4EC imA5UFyuS5Vhacr8cf3k5lodKLC4FPE6fGwH0/FJ5ubCCJPnk8g0aFrQWzyXQRFHjfj9aw E28SkUg3prdoISea2b2A1boK90njUESXqBTb72enfwyQrZurQMPWKy8Hv34htgX9S3XNPU XIKLAK2Sv3aG1HPXIn48/GQb5Tx5LfMTBVKZkvdENQDz9nvH1mBpNA8axDyPSM6ZITf2M6 EiRZo5xN6m17lwmJC/t8nUtUvEk10PSF2JJ+qdbB6NThNkxi+JYyeIFuXo1/dQ==
ARC-Authentication-Results: i=1; rspamd-7cf955c847-gk5nk; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Tangy-Invention: 3e7f49fa43ae9aa1_1673638616413_1045499713
X-MC-Loop-Signature: 1673638616413:3597992962
X-MC-Ingress-Time: 1673638616413
Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.138.47 (trex/6.7.1); Fri, 13 Jan 2023 19:36:56 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4Nts9z1CCNzM4; Fri, 13 Jan 2023 11:36:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1673638615; bh=eLdNpLI2i9xGRvdA0FB7zZCK8SfWeR4AqAdNdVoxykM=; h=Date:From:To:Cc:Subject:Content-Type; b=ZMWJs1tTZ0X7py4e8zblTAeeoMVDgmRU46dGqcMfguRHIT6usDWDAYb309l+7Nk4w qVf70sLmzyN2N1UJFIOezpinEVCk9/AII+YS+N14vz0wRrtXpfy0murWZ1ZVHBCrbl yBiglCX41ph0Hc5yO8zxTTBK//8jakhgOPXSZhpCBb7EBQlLx1yHnM0htVg577mN/s JjcP0DdXQGfkfgCk0KaL1UfeXsh0Lqs15rqsakmp3IGP+TCr8mUPmk5tMR0EJqHQmD 1xxTyu2MPdViDU5LApvTI4z5s6odu2VeqpAdTjoV7gGYyTKNeJd2zBH0Gn9EyVzluG VEJ8aj7ev0SlQ==
Date: Fri, 13 Jan 2023 13:36:52 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>
Cc: Olga Kornievskaia <aglo@umich.edu>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y8Gy1LqHfxJj7Iuf@gmail.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <CAN-5tyGMpwTCpo9cm25RuB4n8moOoiU35PrE4HRK+Yini=Lp8A@mail.gmail.com> <912e61a5-192c-626f-0a36-7001b567c212@secure-endpoints.com> <MW4PR21MB1970A436FA5DF2E76F815DFC9CF49@MW4PR21MB1970.namprd21.prod.outlook.com> <CAN-5tyE819exSnenGGiJo1f38EfAhnO99Pv2cq2C3rjF1b-LSg@mail.gmail.com> <MW4PR21MB1970DE557EECC969FA3F54EB9CF59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y8GwiLk92rWLmfL0@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y8GwiLk92rWLmfL0@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/x052cwcMS7osOwIjpfX8kXLZu0o>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 19:37:02 -0000

On Fri, Jan 13, 2023 at 01:27:04PM -0600, Nico Williams wrote:
> Off-loading crypto to a NIC is probably still a desirable thing in some
> cases.  But it is not really possible to off-load to NIC any crypto at
> layers above TCP, as then the NIC would have to have knowledge too many
> protocols (plus implement TCP, maintain large buffers, etc.).

Well, off-loading TLS in TCP to a NIC is doable, with some contortions.
The point is (was) that off-loading ESP was much much easier.

v2.23.0 | Report a Bug | By Email