[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-ikev2-04.txt






> Why 2-key 3DES? Why not 3-key? In my view a sufficient minimum would be
these
> two suites:
>    1536-bit Diffie-Hellman; 168-bit 3DES CBC; HMAC-SHA1; ESP.
>    1536-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1; ESP.

Only because it was my understanding that 2 key 3DES was what was most
commonly deployed, and it seemed reasonable for one suite to be the one
that is actually out there. What is actually out there?

> For ips's usage, AES-CTR does not need a smaller D-H
> group, and going to a larger one seems reasonable given the
> motivation to transfer large amounts of data at high speed.  While
> I could live with suites that differed only in the D-H group, I'm
> not going to propose them, so here are a couple of strawmen to get
> started:
>
> 1536-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1; ESP.
> 2048-bit Diffie-Hellman; 128-bit AES CTR; HMAC-SHA1; ESP.

There are separate suites for IKE SAs and for ESP SAs. The ESP SAs are the
ones likely to be performance sensitive. What if the ESP SAs were:

168-bit 3DES CBC; HMAC-SHA1; ESP w/o extended sequence numbers (for
backwards compatibility)
128-bit AES CBC; HMAC-SHA1; ESP w/extended sequence numbers
128-bit AES CTR; HMAC-SHA1; ESP w/extended sequence numbers

and the IKE suites were:

1024-bit Diffie-Hellman; 168-bit 3DES CBC; HMAC-SHA1 (for best performance
and backwards compatibility)
1536-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1
2048-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1

Is there any reason to have AES CTR for IKE? Performance is not an issue,
but I can imagine people doing CTR mode for ESP not wanting to have to also
implement CBC just for IKE.

Is there any reason to have AES without extended sequence numbers? Is there
any reason to have 3DES with extended sequence numbers? The logic is that
AES and extended sequence numbers are the new way to do things. The only
reason anyone would not have extended sequence numbers is for backwards
compatibility. Am I wrong?

Is there any reason to have AES CBC at all? Is it better than AES CTR by
some metric that people care about? Or could we just assume that if you're
using AES you'll either want to or be willing to use CTR mode?

(Don't shoot the questioner... I'm just being naive. I don't care what
suites we mandate... just that we settle on something).

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).