[IPsec] AD review of draft-ietf-ipsecme-chacha20-poly1305-08

Fri, 05 Jun 2015 15:20:06 -0700 

Hi,

Sorry this took me a bit of time to get to, I wanted to read through some
of the background materials first and have been a bit swamped lately
(should clear up soon).  Anyway, I have a few comments from my review and
also some from a developer.  Please don't feel the need to respond over the
weekend as I am sending this late on a Friday.

First, thank you very much for your work on this draft.  Having a standby
cipher n hand is a good thing for algorithm agility.  Hopefully we don't
need it for some time.


Section 2 talks about AEAD_CHACHA20_POLY1305 and makes the statement that
the initialization vector (part of the nonce) does not have to be
unpredictable.  That might be okay for chacha20 as long as you have
uniqueness, but I thought POLY1305 required an unpredictable nonce (section
2.5 of rfc7539).  It is not entirely clear to me where that value comes
from in this description.  Please let me know if I am missing something in
section 2.

  o  The Initialization Vector (IV) is 64-bit, and is used as part of
      the nonce.  The IV MUST be unique for each invocation for a
      particular SA but does not need to be unpredictable.  The use of a
      counter or a linear feedback shift register (LFSR) is RECOMMENDED.

The IANA considerations list ENCR_CHACHA20_POLY1305 as the name of the
algorithm without explanation in the draft.  It appears that this was a WG
decision:
https://www.ietf.org/mail-archive/web/ipsec/current/msg09772.html
An explanation might be helpful.  Elsewhere in the draft, you just have
AEAD_CHACHA20_POLY1305.

I had another implementer of AEAD_CHACHA20_POLY1305 (but not for IPsec)
read the draft and he commented that he didn't understand the term 'Standby
cipher'.  This was clear to me, but I read a lot of drafts.  It might be
helpful to expand on that a bit more since this came from a developer.

He also requested that it would be helpful if the packet could be laid out
to explain where the IV, ciphertext and tag go.  This seems like a
reasonable request and is from a developer.

Thank you & have a nice weekend!

-- 

Best regards,
Kathleen

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to