[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Last ditch proposal for crypto suites
At 10:22 AM 8/30/2002 -0700, Scott Fluhrer wrote:
>At 06:45 AM 8/30/02 , Hallam-Baker, Phillip wrote:
>>Actually following on from Radia's point I think we would have three suites:
>>
>>1: RSA/3DES-CBC/SHA-1
>>2: RSA/AES-CTR-128/SHA-2
>>3: RSA/AES-CTR-256/SHA-2
>
>One problem with mandating AES counter mode is that there's been quite a bit
>of hardware development that assumed the AES CBC mode draft. Some of it can
>be changed to use counter mode without too much pain and effort, but some of
>it can't. If these are MUST suites, this means that those implementations
>cannot do IKEv2 efficiently, not because they cannot do the IKEv2 protocol
>itself, but because they cannot do the negotiated IPSec transforms. I would
>suggest that this is not in the IETF's best interest to impose such
>limitations.
>
You bring up an excellent point. It's not as if we will save much padding.
The real issue is further out beyond the immediate pain of those who jumped
the gun. What about the significant performance optimization that can be
achieved with CTR v.s CBC? Doesn't this make CTR the best choice in the
long run? Let's pick one or the other, but not both.
- Alex
--
Alex Alten
Alten@ATTBI.com