[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02

To: Black_David at emc.com
Subject: Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02
From: David McGrew <mcgrew at cisco.com>
Date: Fri, 12 Dec 2008 10:32:17 -0800
Authentication-results: sj-dkim-3; header.From=mcgrew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: msec at ietf.org
Delivered-to: ietfarch-msec-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2998; t=1229106740; x=1229970740; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew at cisco.com; z=From:=20David=20McGrew=20<mcgrew at cisco.com> |Subject:=20Re=3A=20MSEC=20WGLC=20on=20draft-ietf-msec-ipse c-group-counter-modes-02 |Sender:=20; bh=gz66/+d9WkSZcsqv49sFXTq5aJMgnpTrHkCng6XCvwE=; b=oCYWLfFeghe8UBcG1iw0d+fhWDyXRubmnXrXolQ9ZnLiKLxC4g1pd6Mt/U laEgalo0V2ZuglGPkQZLjPYBD6Q5Q5al+pueA7rnnlyru1nOqtnb4TttuMq1 ov67UOA6ul;
In-reply-to: <9FA859626025B64FBC2AF149D97C944A01074B18 at CORPUSMX80A.corp.emc.com>
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
References: <961548A6-49DC-4BCE-907E-F936F599808A at cisco.com> <9FA859626025B64FBC2AF149D97C944A01074B18 at CORPUSMX80A.corp.emc.com>
Sender: msec-bounces at ietf.org

Hi David,

thanks for the comments, more inline:

On Dec 9, 2008, at 2:30 PM, Black_David at emc.com wrote:

Last week, the authors of this draft asked me to take a look
at it.  I apologize for these comments coming slightly after
WG Last Call ends, and thank the authors in advance for their
patience in waiting for these comments.

Overall, the draft looks good, and I think support for further
use of these modes is a "good thing".  I have a couple of minor
comments:

(1) I would add a sentence to either Section 3 (IV formation)
or section 6 (Security Considerations) to the effect that the
security properties of these modes do not rely upon
unpredictability of the initial IV values (IV sequences for
counter modes tend to be predictable for obvious reasons).
On initial reading, I was concerned about potential SID
use of 2 octets out of an 8-octet IV, and such a sentence
would remove that concern.


Section 2, par 1 ends like this:

"That is, for each key, no IV value can be used more than once. Thisrestriction on IV usage is imposed on ESP CTR, ESP GCM, and ESP CCM.In cryptographic terms, the IV is a nonce."

Right after that, we could add: "(Note that CBC mode requires IVs thatare unpredictable. CTR, GCM, GMAC, and CCM do not have theserestrictions.)

I'm fine with adding something in Section 3 or 6 too. In Section 3we could say "Neither the SID nor the SSIV fields need to beunpredictable. The uniqueness requirements described above meet allof the security requirements of CTR, GCM, GMAC, and CCM modes."


Wordsmithing welcome.



(2) The first two bullet items in Section 4 are not as clear
as they could be:
- It is unclear whether the first requirement applies across
	all SAs, or on an SA by SA basis.


Good point.   I suggest something like"

"For each SA for which sender identifiers are used, the GKMS MUST NOTgive the same sender identifier to more than one active groupmember ... "


- There is almost no discussion about what happens if the
	SHOULD in the second bullet is not followed.
I think the first requirement is on an SA by SA basis (that
should be stated), and then the explanation of the SHOULD in
the second requirement can be two-fold:
- Avoids need to manage SIDs on a per-SA basis in not only
	the GKMS, but also the senders (the latter is probably
	the more important consideration).
- Avoids any need to change/issue SIDs when rekeying an SA.
Only the latter point appears to be mentioned.


Sounds good to me.

Thanks again!

David

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david at emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------


_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Prev by Date: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02 ending Dec 5, 2008
Next by Date: [MSEC] [Fwd: New Version Notification for draft-ietf-msec-tesla-for-alc-norm-07]
Previous by thread: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02 ending Dec 5, 2008
Next by thread: Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02
Index(es):
- Date
- Thread