Re: [secdir] Secdir review of draft-ietf-ipsecme-implicit-iv-07

Benjamin Kaduk <kaduk@mit.edu> Mon, 14 October 2019 23:35 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A6A1208A7 for <secdir@ietfa.amsl.com>; Mon, 14 Oct 2019 16:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHjQtPByp-gF for <secdir@ietfa.amsl.com>; Mon, 14 Oct 2019 16:35:16 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55B61200EB for <secdir@ietf.org>; Mon, 14 Oct 2019 16:35:15 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x9ENZAv3013700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Oct 2019 19:35:13 -0400
Date: Mon, 14 Oct 2019 16:35:10 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Magnus =?iso-8859-1?Q?Nystr=F6m?= <magnusn@gmail.com>
Cc: secdir@ietf.org
Message-ID: <20191014233510.GJ61805@kduck.mit.edu>
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/K7angpc82yJL6J07EP4W_sXoufA>
Subject: Re: [secdir] Secdir review of draft-ietf-ipsecme-implicit-iv-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 23:35:18 -0000

Hi Magnus,

Thanks for this review -- I filed a Discuss point about the inconsistency
between the text and the codepoints for whether AES-CTR is covered.

-Ben

On Sun, Oct 13, 2019 at 10:46:30PM -0700, Magnus Nyström wrote:
>  I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> This document defines a mechanism to save on bandwidth in ESP connections
> when certain ciphers have been negotiated by using implicit IVs. The
> savings are limited to 8 bytes for the current version of this document.
> 
> 
> 
>    - Section 2 mentions AES-CCM, AES-CTR, AES-GCM and ChaCha. For all of
>    these ciphers, an 8-byte nonce is used. The mechanism to make the IV
>    implicit is by coupling it to the sequence number. Yet, Section 4 gives two
>    examples of sequence numbers, one  of 4 bytes and one of 8 bytes. This is
>    confusing, presumably only the extended sequence number is usable?
>    - Also, while the Abstract says the memo offers a mechanism to save on
>    the explicit IV also for AES-CTR, and Section 2 includes AES-CTR in its
>    description, Section 4 explicitly states that only AES-CCM, AES-GCM and
>    ChaCha are subject of the optimization in this memo. This is also
>    confusing. Why including AES-CTR in the memo at all if it isn't covered? At
>    the very least it seems the Abstract should be updated.
>    - It would be very helpful and useful to include an example of a
>    handshake with an IIV and the resulting IV in an Appendix; this could
>    assist implementors to get things right.
> 
> 
> (Editorial: English grammar needs some updates/reviews)
> 
> Thanks,
> -- Magnus

> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview