Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

2017-03-19 Thread Daniel Migault
S 2. >This document does not consider AES-CBC ([RFC3602])as AES-CBC >>requires the IV to be unpredictable. Deriving it directly from the >>packet counter as described below is insecure. >> >> Can you provide a cite for this? >> >> >> Even RFC 3602 requires that the IV be randomly

Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

2017-03-19 Thread Yoav Nir
> On 19 Mar 2017, at 19:30, Eric Rescorla wrote: > > > > On Sun, Mar 19, 2017 at 10:23 AM, Yoav Nir > wrote: > >> On 19 Mar 2017, at 16:55, Eric Rescorla > > wrote: >> >> Overall: >> I

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Eric Rescorla
Thanks for the explanation... -Ekr On Sun, Mar 19, 2017 at 11:45 AM, Tommy Pauly wrote: > Some servers may support that, but some may not. These sessions are often > used for VPN access, and we've seen cases in which a particular > user/certificate combination is only

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Tommy Pauly
Some servers may support that, but some may not. These sessions are often used for VPN access, and we've seen cases in which a particular user/certificate combination is only allowed to be connected once-at-a-time. That makes switching more complicated. Also, since the recommendation is to try

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Eric Rescorla
I haven't fully thought this through, but if yu can switch-hit between TCP and UDP, why can't you just race the setup between TCP and UDP and then if you start getting packets on UDP, cut over to that. Maybe I'm just too influenced by ICE :) -Ekr On Sun, Mar 19, 2017 at 11:25 AM, Tommy Pauly

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Tommy Pauly
> On Mar 19, 2017, at 6:47 AM, Eric Rescorla wrote: > > > > On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir > wrote: > Hi, Eric. > >> On 19 Mar 2017, at 4:04, Eric Rescorla > > wrote: >> >>

Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

2017-03-19 Thread Eric Rescorla
On Sun, Mar 19, 2017 at 10:23 AM, Yoav Nir wrote: > > On 19 Mar 2017, at 16:55, Eric Rescorla wrote: > > Overall: > I notice that you are using a construction different from that used > in TLS 1.3, which doesn't directly repeat nonces across associations. > >

Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

2017-03-19 Thread Yoav Nir
> On 19 Mar 2017, at 16:55, Eric Rescorla wrote: > > Overall: > I notice that you are using a construction different from that used > in TLS 1.3, which doesn't directly repeat nonces across associations. > > S 2. >This document does not consider AES-CBC ([RFC3602])as AES-CBC

[IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

2017-03-19 Thread Eric Rescorla
Overall: I notice that you are using a construction different from that used in TLS 1.3, which doesn't directly repeat nonces across associations. S 2. This document does not consider AES-CBC ([RFC3602])as AES-CBC requires the IV to be unpredictable. Deriving it directly from the packet

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Eric Rescorla
On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir wrote: > Hi, Eric. > > On 19 Mar 2017, at 4:04, Eric Rescorla wrote: > > [Now with the right address] > > I just finished reading this document. Some comments below. > > > - You have a uniform 16 bit length field

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Yoav Nir
> On 19 Mar 2017, at 13:20, Valery Smyslov wrote: > > Hi Yoav, > >> > I don't think it's a good idea. The TCP encapsulation has a lot of >> > drawbacks in terms of performance (see Section > 12), so it is considered >> > as a last resort if UDP doesn't work. In general UDP

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Valery Smyslov
Hi Yoav, > I don't think it's a good idea. The TCP encapsulation has a lot of drawbacks in terms of performance (see Section > 12), so it is considered > as a last resort if UDP doesn't work. In general UDP (or no encapsulation) is a preferred transport. If we start > trying TCP and UDP in

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Valery Smyslov
Hi Eric, I just finished reading this document. Some comments below. - You have a uniform 16 bit length field followed by a 4 byte all-zeros sentinel value to indicate that a packet is IKE rather than ESP. Given that in S 3 graf 2 you have a SHOULD-level requirement to use typical

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

2017-03-19 Thread Yoav Nir
Hi, Eric. > On 19 Mar 2017, at 4:04, Eric Rescorla wrote: > > [Now with the right address] > > I just finished reading this document. Some comments below. > > > - You have a uniform 16 bit length field followed by a 4 byte all-zeros >sentinel value to indicate that a