[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

At 5:30 PM -0700 7/26/02, David A. Mcgrew wrote:
Steve,

I would be grateful if you would neither speculate on my personal motives
nor cast aspersions on my employer.  I refuse to be cast as a corporate
shill for presenting technical arguments and asking for WG input.

This discussion doesn't need to be adversarial.  Let's just make sure that
we've made our technical arguments clear to WG and leave it at that.


I agree that this debate should be technical, but your message clearly shows that you tried to bring the imprimatur of your employer into the discussion. Your behavior, in terms of the wording of the message, and in terms of the design team process, further earned you the personal criticisms I levied. Your indignant disclaimer is out of place.

So, let's look at the technical arguments you made, my responses, and your comments to my responses. To avoid needless message expansion, I have summarized:

On the topic of the overhead posed by an explicit vs. implicit IV, I questioned the 20-byte number you used as an example. Your rebuttal was vague and in no way countered my observation that the payload size you cited is a very misleading value. Dave Oran pointed out that header compression can reduce the IP header overhead, and the ESP header as well. But the UDP header is inside the encryption boundary, as are the ESP padding and pad length and NEXT field, and the ESP ICV is random. So, my point stands, i.e., either you were very careless in making the comparison between a 20-byte payload and an 8-byte IV, or you were intentionally skewing the argument. My point about inappropriately referring to your employer in this argument, presumably to lend it greater weight, also stands.

With regard to the security evaluation boundary argument, the issue is exactly that sharing SA state, specifically sequence number values, across chip or PC board boundaries presents a limitation on performance. I serve (or have served) as a technical advisor to three different companies developing high speed crypto chips for IPsec. The hardware engineers in each company agree with my observation that is would be a fundamentally bad idea to try to maintain sequence number sync across chip/board boundaries, for very high speed implementations.

Separartely, you maintained that your employer had not encountered any problems in this regard, and I countered that this was probably because your employer was not building high assurance products, and thus the security boundary was very large. A check of the FIPS 140-1 evaluated products list confirms my assertion about the assurance level of all Cisco evaluated products. Again, your response has not countered my criticisms. Instead you asked what vendors didn't maintain the sequence number within the security perimeter. That's not the point. The point is that, historically, there has been no need to maintain the ESP sequence counter within the perimeter for FIPS 140-1. But, reusing it for counter mode creates that need and adversely limits the design space for higher assurance products.

The above argument segues into the disagreement re the pitfalls of reusing ESP sequence numbers for counter mode, and what I maintain is an irrelevant discussion of other crypto modes. You claim to not understand the security difference between sequence numbers used, optionally, for anti-replay, and unique values used as inputs to a crypto algorithm. The distinction is that the former use is of secondary security importance, as evidenced by the fact that it is an optional feature (for the receiver) and that is is outside the security evaluation boundary under 140-1/2. In contrast. the inputs for counter mode are security critical values that fall within the evaluation boundary for 140-1/2. As is so often the case, the term "trust" has no relevance here. The ESP sequence number plays a well-defined role, and reusing it for another purpose is a bad design approach, from a security standpoint. Ask one of your colleagues who has first hand experience with the security evaluation process; perhaps they can explain this notion better than I.

With regard to the use of counters for per-packet and intra-packet inputs to counter mode, your response did not rebut my observation that the 2-fold difference in adder size was an issue ignore by your initial claim.

You did respond to my observations about the greater flexibility afforded to a product designer by a per-packet input approach that allows the sender to choose whatever means of generating the value that meets the security and performance requirements for a product. Your response was as assertion that the 8-byte overhead of an explicit IV is not worth the flexibility. This is a value judgement, not a technical argument. However, I am annoyed by the way you tend to couch the argument, i.e., as though this is an extra 8 bytes, whereas the reality is that the same 8-byte overhead that has been the default for ESP (in CBC mode) since it became a standard. So the question is not whether to add 8 bytes, but whether there is a pressing need to remove 8 bytes.

Finally, you dispute, thought only faintly, my characterization of the history of the design team and how we got to this point. There really is little ambiguity here. Russ was added to the team at your invitation. One might argue about whether you asked him to join in an effort to sway the team to your proposal. It is a fact, however, that Russ developed a compromise document, that the rest of the design team agreed to it, and that you choose to bring your arguments to the list in an effort to reject the compromise.

Steve