[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02

To: msec at ietf.org
Subject: Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02
From: Brian Weis <bew at cisco.com>
Date: Thu, 18 Dec 2008 09:45:07 -0800
Authentication-results: sj-dkim-4; header.From=bew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: black_david at emc.com
Delivered-to: ietfarch-msec-web-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4334; t=1229622277; x=1230486277; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew at cisco.com; z=From:=20Brian=20Weis=20<bew at cisco.com> |Subject:=20RE=3A=20MSEC=20WGLC=20on=20draft-ietf-msec-ipse c-group-counter-modes-02 |Sender:=20; bh=b5Wrq0K6ZQWQPJasTVh1FZ1JmNbBL9g/YaA2kQCgPjI=; b=NiQnYXX7CuEi8Iv0WeszTRmasBvDqu8Jx+Bw++Yjyq20MEs6vVcjcafS56 CLuW01o629IOCNRrJ8ZxrXx0rch/rVZtn218Gm2ktIAEe5jIiEqB6MairjxL qKcIyquXMS;
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
Sender: msec-bounces at ietf.org

[Forwarding David Black's latest email.]

From: Black_David at emc.com
Date: December 12, 2008 2:51:14 PM PST
To: <mcgrew at cisco.com>

Cc: <msec at ietf.org>, <bew at cisco.com>, <ldondeti at qualcomm.com>,<Black_David at emc.com>

Subject: RE: MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02


David (M),

(1) Adding the note about IVs to the end of the first paragraph
	of Section 2 is a fine thing to do, IMHO.  I would repeat
	that note at the end of the first paragraph of Section 6,
	as it is a security consideration.  Beyond these two, I
	don't see a need to add anything to Section 3.

(2) I agree with your suggestion for the first bullet in Section
	4.  That plus your plan to pick up my suggestions about
	the second bullet should suffice to clarify these bullets.

Thanks,
--David (B)

-----Original Message-----
From: David McGrew [mailto:mcgrew at cisco.com]
Sent: Friday, December 12, 2008 1:32 PM
To: Black, David
Cc: msec at ietf.org; bew at cisco.com; ldondeti at qualcomm.com
Subject: Re: MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02

Hi David,

thanks for the comments, more inline:

On Dec 9, 2008, at 2:30 PM, Black_David at emc.com wrote:

Last week, the authors of this draft asked me to take a look
at it.  I apologize for these comments coming slightly after
WG Last Call ends, and thank the authors in advance for their
patience in waiting for these comments.

Overall, the draft looks good, and I think support for further
use of these modes is a "good thing".  I have a couple of minor
comments:

(1) I would add a sentence to either Section 3 (IV formation)
or section 6 (Security Considerations) to the effect that the
security properties of these modes do not rely upon
unpredictability of the initial IV values (IV sequences for
counter modes tend to be predictable for obvious reasons).
On initial reading, I was concerned about potential SID
use of 2 octets out of an 8-octet IV, and such a sentence
would remove that concern.


Section 2, par 1 ends like this:

"That is, for each key, no IV value can be used more than once. This
restriction on IV usage is imposed on ESP CTR, ESP GCM, and ESP CCM.
In cryptographic terms, the IV is a nonce."

Right after that, we could add: "(Note that CBC mode requires
IVs that
are unpredictable.  CTR, GCM, GMAC, and CCM do not have these
restrictions.)

I'm fine with adding something in Section 3 or 6 too.   In Section 3
we could say "Neither the SID nor the SSIV fields need to be
unpredictable.   The uniqueness requirements described above
meet all
of the security requirements of CTR, GCM, GMAC, and CCM modes."

Wordsmithing welcome.



(2) The first two bullet items in Section 4 are not as clear
as they could be:
- It is unclear whether the first requirement applies across
	all SAs, or on an SA by SA basis.


Good point.   I suggest something like"

"For each SA for which sender identifiers are used, the GKMS
MUST NOT
give the same sender identifier to more than one active group
member ... "


- There is almost no discussion about what happens if the
	SHOULD in the second bullet is not followed.
I think the first requirement is on an SA by SA basis (that
should be stated), and then the explanation of the SHOULD in
the second requirement can be two-fold:
- Avoids need to manage SIDs on a per-SA basis in not only
	the GKMS, but also the senders (the latter is probably
	the more important consideration).
- Avoids any need to change/issue SIDs when rekeying an SA.
Only the latter point appears to be mentioned.


Sounds good to me.

Thanks again!

David

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david at emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------


--
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew at cisco.com

_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Prev by Date: Re: [MSEC] [Fwd: New Version Notification for draft-ietf-msec-tesla-for-alc-norm-07]
Next by Date: [MSEC] review of draft-ietf-msec-ipsec-group-counter-modes-02
Previous by thread: Re: [MSEC] MSEC WGLC on draft-ietf-msec-ipsec-group-counter-modes-02
Next by thread: [MSEC] [Fwd: New Version Notification for draft-ietf-msec-tesla-for-alc-norm-07]
Index(es):
- Date
- Thread