Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items)

Paul Hoffman wrote:
> >You may be overstating that "many people" agree that it is worth doing,
> >but it is certainly worth discussing.

I'm definitely interested in that discussion, as I'm in the midst of
an update to the IPsec requirements for iSCSI.

David McGrew wrote:
> The issue is that 3DES has a 64-bit block instead of a 128-bit block;
> please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3.   (In
> retrospect, there should have been a citation in the draft.)

That suggests that an explanation of the birthday bound concern
along with a discussion of transmission rate and rekeying concerns
would be appropriate for the ESP and AH requirements draft, as
opposed to a blanket "SHOULD NOT" statement for 3DES.

A 1 Gbit/sec link running encrypted at line rate can get to the 4
Gigabyte birthday bound stated in the cfrg draft fairly quickly, but
a much slower throughput rate may take much longer before rekeying
becomes necessary, if ever (e.g., a remote access session's entire
traffic may be measured in 10s of Megabytes or less).

Aside - there may be a math error in the draft.
For a block size (w) of 64 (i.e., 2^6):

	- w * 2^(w/2) bits = 2^6 * 2^32 bits = 2^38 bits
	- 2^38 bits is 2^35 bytes (byte contains 8=2^3 bits)
	- 2^35 bytes is 2^5 gigabytes (gigabyte contains 2^30 bits).

That would be 32 gigabytes, but this aside doesn't change the
above discussion, as a 1 Gbit/sec rate will get there in a few
minutes, and a 10 Gbit/sec rate will get there in under a minute.
Moreover the draft warns (with good reason) that getting close
to the birthday bound is not a good idea.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
david.black@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of
> David McGrew (mcgrew)
> Sent: Tuesday, October 23, 2012 8:37 AM
> To: Paul Hoffman
> Cc: IPsecme WG; wajdi.k.feghali@intel.com
> Subject: Re: [IPsec] updating ESP and AH requirements (was: Call for agenda
> items)
> 
> 
> 
> On 10/22/12 8:32 PM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:
> 
> >On Oct 22, 2012, at 4:55 PM, David McGrew (mcgrew) <mcgrew@cisco.com>
> >wrote:
> >
> >> One thing that deserves to be on the agenda is a discussion of the need
> >>to
> >> update the ESP and AH crypto requirements, which have not been updated
> >> since 2007, and to provide guidance on how to use ESP and AH to achieve
> >> security goals.   I have a draft proposing what that could look like,
> >> draft-mcgrew-ipsec-me-esp-ah-reqts-00.   This is off-charter, but I
> >> believe that it is something that many people would agree is worth
> >>doing.
> >
> >You may be overstating that "many people" agree that it is worth doing,
> >but it is certainly worth discussing.
> >
> >> Of course, comments on the detailed requirements are welcome as well.
> >
> >Your listing of TripleDES as "SHOULD NOT" without any cryptographic
> >justification might raise some eyebrows.
> 
> The issue is that 3DES has a 64-bit block instead of a 128-bit block;
> please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3.   (In
> retrospect, there should have been a citation in the draft.)
> 
> David
> 
> >
> >--Paul Hoffman
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec