[danmcd@sun.com: [Ipsec-tools-devel] SHA-2 and RFC 4868]

[danmcd@sun.com: [Ipsec-tools-devel] SHA-2 and RFC 4868]

[Dan McDonald]

Pardon the top-post.  Paul Moore suggested this mailing list as the best
place to ask the following.

Thanks,
Dan McD.

----- Forwarded message from Dan McDonald <danmcd@sun.com> -----

Date: Thu, 07 May 2009 15:57:39 -0400
From: Dan McDonald <danmcd@sun.com>
To: ipsec-tools-devel@lists.sourceforge.net
Subject: [Ipsec-tools-devel] SHA-2 and RFC 4868
User-Agent: Mutt/1.5.19 (2009-01-05)

Not sure if this is the most appropriate list for the topic, but I'm sure
enough actual AH/ESP implementors hang out here.

I've noticed at least one other platform doesn't do SHA-2 per RFC 4868
(half-sized hash truncation), and instead truncates the SHA-2 hashes to
96-bits like MD5 and SHA1.

Is this just me, or is there an unfixed kernel problem in other platforms'
AH/ESP code?

Thanks,
Dan

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel

----- End forwarded message -----

Re: [danmcd@sun.com: [Ipsec-tools-devel] SHA-2 and RFC 4868]

[Adrian-Ken Rüegsegger]

> ----- Forwarded message from Dan McDonald <danmcd@sun.com> -----
> 
> Date: Thu, 07 May 2009 15:57:39 -0400
> From: Dan McDonald <danmcd@sun.com>
> To: ipsec-tools-devel@lists.sourceforge.net
> Subject: [Ipsec-tools-devel] SHA-2 and RFC 4868
> User-Agent: Mutt/1.5.19 (2009-01-05)
> 
> Not sure if this is the most appropriate list for the topic, but I'm sure
> enough actual AH/ESP implementors hang out here.
> 
> I've noticed at least one other platform doesn't do SHA-2 per RFC 4868
> (half-sized hash truncation), and instead truncates the SHA-2 hashes to
> 96-bits like MD5 and SHA1.
> 
> Is this just me, or is there an unfixed kernel problem in other platforms'
> AH/ESP code?

This issues was discussed (but not resolved) a bit less than a year ago:

http://lkml.org/lkml/2008/6/5/141

Regards,
Adrian

Re: [danmcd@sun.com: [Ipsec-tools-devel] SHA-2 and RFC 4868]

[Dan McDonald]

On Tue, May 12, 2009 at 10:16:27AM +0200, Adrian-Ken R?egsegger wrote:

<mucho snippage deleted!>

> > Is this just me, or is there an unfixed kernel problem in other platforms'
> > AH/ESP code?
> 
> This issues was discussed (but not resolved) a bit less than a year ago:
> 
> http://lkml.org/lkml/2008/6/5/141

Thanks for the thread pointer.  I would like it if you guys updated to RFC
4868, but I'm obviously in no position to have any influence.  If you wanna
test it, though, OpenSolaris has 4868 support, and if you need help for
interoperability testing, just ask.

BTW, it *is* possible to have user-space supply such parameters.  Have a look
at the ipsecalgs(1M) man page for an example:

http://docs.sun.com/app/docs/doc/816-5166/ipsecalgs-1m?l=en&a=view&q=ipsecalgs

In fact, we've done backward compatibility tests with MacOS X by adjusting
the truncation size with ipsecalgs(1M).  ISTR it worked with SHA-256.

Dan