Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
draft-ietf-ipsec-ciph-aes-ccm-05
Yes
No Objection
Recuse
Note: This ballot was opened for revision 05 and is now closed.
(Steven Bellovin; former steering group member) Yes
(Alex Zinin; former steering group member) No Objection
(Allison Mankin; former steering group member) (was Discuss, No Objection, Discuss, No Record, No Objection) No Objection
A question that is probably for my own education: a significant issue in the SRTP discussion about AES counter mode was the risk that an attacker could forge an encrypted message that would decode to non-random plaintext, or succeed in an insertion attack, in null or weak authentication. The Security Area in that case specified strengths by length (of an HMAC-SHA1), requiring at least 96 bits for traffic for which this risk was not tolerable (see draft-ietf-srtp-09.txt, 9.5.1). Are things hand-wavy enough that the minimum 8 octets is fine? Is ICV not comparable? (Not wanting in any way to open any WG worm-cans that were hard to close, since other drafts that can trade off issues like these really need this document).
(Bert Wijnen; former steering group member) No Objection
(Bill Fenner; former steering group member) No Objection
(Harald Alvestrand; former steering group member) No Objection
(Jon Peterson; former steering group member) No Objection
Nit, section 2, description of AAD (middle of pg4) - "The construction of the AAD described in section 5" perhaps should be "AAD is described in"? Nit, third line of Section 4 - "The AES counter block 16 octets", perhaps should be "is 16 octets"?
(Margaret Cullen; former steering group member) No Objection
My comments are resolved by Russ' -05 update.
(Ned Freed; former steering group member) No Objection
(Ted Hardie; former steering group member) No Objection
(Thomas Narten; former steering group member) No Objection
> accommodates a full Jumbogram [JUMBO]; however, the length missing reference. > AES-CCM employs counter mode for encryption. As with any stream > cipher, reuse of the IV same value with the same key is catastrophic. s/IV same/same IV/
(Russ Housley; former steering group member) Recuse