| Re: crypto algorithms for DTLS | <– Date –> <– Thread –> |
From: Abhijit Choudhury (achoudhu) (achoudhu cisco.com)
|
|
| Date: Wed, 9 Jul 2008 11:01:01 -0700 (PDT) | |
I'm okay with adding AES-GCM support as a MAY.
However, I'd suggest we add the following ciphers:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Also, in the current spec, shouldn't we be specifying
DHE instead of DH in the cipher suite recommendations.
Scott, Charles, Joe: any thoughts on this ?
Thanks,
Abhijit
-----Original Message-----
From: Dorothy.Gellert [at] nokia.com [mailto:Dorothy.Gellert [at] nokia.com]
Sent: Tuesday, July 08, 2008 4:17 PM
To: Pat Calhoun (pacalhou); skelly [at] arubanetworks.com; Abhijit Choudhury
(achoudhu)
Cc: capwap [at] frascone.com
Subject: RE: [Capwap] crypto algorithms for DTLS
Hi All,
Are there any objections in the WG to adding the following cipher
suites:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 to the base spec as a MAY?
If not, based on the list discussion and approved draft status of
draft-ietf-tls-rsa-aes-gcm-03.txt, I support including these cipher
suites as a MAY in the next(last) WGLC.
Best Regards,
Dorothy
> -----Original Message-----
> From: ext Pat Calhoun (pacalhou) [mailto:pcalhoun [at] cisco.com]
> Sent: Tuesday, July 08, 2008 4:06 PM
> To: Scott Kelly; Abhijit Choudhury (achoudhu)
> Cc: capwap
> Subject: Re: [Capwap] crypto algorithms for DTLS
>
> Oh, and just to make sure, if we were to go ahead with this, the
> following cipher suites would be added:
>
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_DH_RSA_WITH_AES_256_GCM_SHA384
>
> Right?
>
> PatC
>
> -----Original Message-----
> From: Pat Calhoun (pacalhou)
> Sent: Tuesday, July 08, 2008 3:57 PM
> To: Scott Kelly; Abhijit Choudhury (achoudhu)
> Cc: capwap
> Subject: Re: [Capwap] crypto algorithms for DTLS
>
> CAPWAP Chairs,
>
> I am done with the edits, and ready to submit the spec for the WG Last
> Call. This is a new feature, and we had agreed to defer to the next
> version of the protocol. However, the IETF has completed the long
> pole, and the change, as a MAY, is fairly minor. What would you
> recommend?
>
> PatC
>
> -----Original Message-----
> From: Scott Kelly [mailto:skelly [at] arubanetworks.com]
> Sent: Tuesday, July 08, 2008 3:42 PM
> To: Abhijit Choudhury (achoudhu)
> Cc: capwap
> Subject: Re: [Capwap] crypto algorithms for DTLS
>
> Hi Abhijit,
>
> >
> > Folks,
> >
> > The issue of using AES-GCM as a cipher-suite for CAPWAP/DTLS was
> > discussed in the list about a year ago. (Please refer to
> CAPWAP issue
>
> > 7
> > (http://www.capwap.org/cgi-bin/roundup.cgi/CAPWAP/issue7)
> >
> > Due to the use of DTLS, we were stuck with TLS ciphersuites.
> > To use GCM we would require a TLS GCM ciphersuite. We
> discussed this
> > at an ad-hoc meeting, and decided to defer this feature, as GCM was
> > not a TLS ciphersuite, and there was no document to reference.
> >
> > However, since that time, use of AES-GCM has been approved
> in the TLS
> > working group, and we have an approved draft
> > https://datatracker.ietf.org/idtracker/draft-ietf-tls-rsa-aes-gcm/
> >
> > As noted in the original email, there is a lot of momentum
> behind this
>
> > crypto algorithm, and it results in significant improvements in
> > throughput in either HW or SW implementations.
> >
> > Could we address this issue in the current spec and make AES-GCM an
> > ciphersuite that can be used with CAPWAP/DTLS ?
>
> I have no objections to adding support for AES-GCM as a MAY.
> The original proposal suggested making it mandatory to implement, but
> given the current lack of support in commodity crypto HW, I don't
> think this would be appropriate at this time.
>
> --Scott
>
>
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/capwap
>
> Archives: http://lists.frascone.com/pipermail/capwap
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/capwap
>
> Archives: http://lists.frascone.com/pipermail/capwap
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/capwap
>
> Archives: http://lists.frascone.com/pipermail/capwap
>
- Re: crypto algorithms for DTLS, (continued)
- Re: crypto algorithms for DTLS Scott Kelly, July 8 2008
- Re: crypto algorithms for DTLS Pat Calhoun (pacalhou), July 8 2008
- Re: crypto algorithms for DTLS Pat Calhoun (pacalhou), July 8 2008
- Re: crypto algorithms for DTLS Dorothy.Gellert, July 8 2008
- Re: crypto algorithms for DTLS Abhijit Choudhury (achoudhu), July 9 2008
- Re: crypto algorithms for DTLS Scott Kelly, July 9 2008
- Re: crypto algorithms for DTLS Pat Calhoun (pacalhou), July 10 2008
- Re: crypto algorithms for DTLS Joseph Salowey (jsalowey), July 9 2008
- Re: crypto algorithms for DTLS Abhijit Choudhury (achoudhu), July 9 2008
Results generated by Tiger Technologies using MHonArc.