RE: Two AES encryption modes?

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

> "The cost is acceptable" is a legitimate position; "the cost is not
> important" is not.

A typical transform payload (including the header) for IKEv1 will run about
32 bytes for phase 1 and 24 bytes for phase 2. Eight bytes of that is the SA
lifetime, which has been omitted from IKEv2. The real problem in terms of
bandwidth consumption was permutation explosion, which has also been solved
in IKEv2.

This is completely drowned out by the cost of doing group 5 with
certificates. I just generated a sample exchange: cert request = 97 bytes,
key exchange = 196 bytes, certificate = 713 bytes, signature = 132 bytes.

My claim is not so much that the cost is not important, but rather that it
will be drowned out by other factors. The cost is acceptable by the same
rationale that tells you if you're buying a Lambourghini then you shouldn't
bother haggling over the cost of the radio.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Henry Spencer
> Sent: Monday, July 29, 2002 4:30 PM
> To: IP Security List
> Subject: RE: Two AES encryption modes?
>
>
> On 29 Jul 2002, Andrew Krywaniuk wrote:
> > The bits on the wire issue is a red herring, unless you are
> also advocating
> > using group 1 and preshared keys to save bandwidth.
>
> Bits on the wire may be worth the cost in some contexts, but the cost
> cannot be ignored entirely, so long as IKE/SOI negotiations
> use UDP and
> thus can be crippled by fragmentation problems.
>
> "The cost is acceptable" is a legitimate position; "the cost is not
> important" is not.
>
>
> Henry Spencer
>
> henry@spsystems.net
>