Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

"Mark D. Baushke" <mdb@juniper.net> Mon, 13 July 2020 18:52 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DFEF3A1733; Mon, 13 Jul 2020 11:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=OmnWV5b1; dkim=pass (1024-bit key) header.d=juniper.net header.b=hk2IAZLI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fABOM82UWhgp; Mon, 13 Jul 2020 11:52:18 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D64A53A172A; Mon, 13 Jul 2020 11:52:18 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06DIqHQZ003806; Mon, 13 Jul 2020 11:52:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=EVJfH+GfHJkgRyFmJwsYGXV2NA82dmNJgSvKB8eiwEY=; b=OmnWV5b1xmFTx3n95559D4ZMTTyYvftfC7InFg0R5MTyaBGBRUw+OQQ1QXJWtP8z165m PoC1PRxnqFd3emsYhJ/Z99V3ZouMlFR3FTbAQnG/1BDqo4bGz0ZKCbYTBxZCYBXHVvy8 80OgWMpzUfdD26V6yataIdQpk+oQABDu9cxgKy99oQYDVFA/tl/kbke3WF8/zh78FUIn 6TfKYSO5v1ja6GSMMeQqkvtD5lSiyBZMfitl/vOLTWNgAeuKIX0xAAlGx8n5itciVtLp dM/7IAtMsX3rJUStO63xjnggdLqhsfICUEqk4zpQbxXcS8k4s43+/NWgAIfBIhnmoVWg sw==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2052.outbound.protection.outlook.com [104.47.37.52]) by mx0a-00273201.pphosted.com with ESMTP id 327cemb6qq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Jul 2020 11:52:17 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BChUVcrzhHvBA1CnliI3FIaTWg2ATy4HEbwy8KWyfAvLrEQGnqat3zeV5HzjZXheK4nNMeo5ahmXHgI3cKJMDElCTH63kb9A8bmRqMub4WaWreKpyOlImGhN1QB8nk81i46UmtniZHgb8t3zxNfmKsSkORCdpFTYtzHS0VDdfOSdEpPNmsQP7TYsvG/dJ0BIPZPwZMzDb/rhR/xjoJQM+eapZ5GDTZW3Aq3y+FjFEL6Ixxt5X2maRIuaJQChN+ZCqRYYSTU3OT/m3lqt8ovPfTj+YVF44MAjPNipaYADEaSguPJmjzQVK576fFpfaepFOfbyK3bLDF+ZkQaSVuvxdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EVJfH+GfHJkgRyFmJwsYGXV2NA82dmNJgSvKB8eiwEY=; b=G1rQbGUzmRczwAojtRZ8xuJx9yk4oz7PH1kBkUdCt1F0PrDx3pdtC7bGwq/m5F1BuN2VyZ+kzgrPJXGdeQkLaLwLR7ZfuvUk1nqiTb6wuxm2NLwKjvXAnJZqud0dDYUk1uMg6o7iSbL3y/LWP8w2gi/dPlaDOUhLiZvjUsNfyIDh9zlJOI19ZG40sRjfksXzkNOCYRijnrDF/mh10uuhEzOSsKaBAtOBDUCsQ6HMgZ/k75BAP0QVAwxOo1LO8akEx8e9BbPiNBaBnat+lKLDG+JlPWIAwY1jJOaGN+bHcLXDTyVhrh917UNysuJXh43B8ud3R850sVO2kOIW226WyA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=gmail.com smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EVJfH+GfHJkgRyFmJwsYGXV2NA82dmNJgSvKB8eiwEY=; b=hk2IAZLImdvzz/st4RKiXGTsKZZssy+Xm4J69LIMhncEW3edl72wQrSk7uIDBrnd1hH+DQp1UWAUu11TQF2z01i4QiBupGqsAkVaJu4qiQzLWb7v/tjZbXRiOGSpJaVncipFYnZdEc8NaZfVd3bnVEXqgrJBSMPQNaAKP5LcKwY=
Received: from MWHPR2201CA0054.namprd22.prod.outlook.com (2603:10b6:301:16::28) by BL0PR05MB5634.namprd05.prod.outlook.com (2603:10b6:208:6f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.9; Mon, 13 Jul 2020 18:52:09 +0000
Received: from CO1NAM05FT012.eop-nam05.prod.protection.outlook.com (2603:10b6:301:16:cafe::47) by MWHPR2201CA0054.outlook.office365.com (2603:10b6:301:16::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21 via Frontend Transport; Mon, 13 Jul 2020 18:52:08 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by CO1NAM05FT012.mail.protection.outlook.com (10.152.96.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3195.9 via Frontend Transport; Mon, 13 Jul 2020 18:52:08 +0000
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 13 Jul 2020 11:52:03 -0700
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 13 Jul 2020 11:52:02 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 13 Jul 2020 11:52:02 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [10.160.0.88]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 06DIq1ER027192; Mon, 13 Jul 2020 11:52:01 -0700 (envelope-from mdb@juniper.net)
To: IETF curdle <curdle@ietf.org>, IETF ssh <ietf-ssh@netbsd.org>
CC: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>, curdle-chairs <curdle-chairs@ietf.org>, denis bider <denisbider.ietf@gmail.com>, "Ron Frederick" <ronf@timeheart.net>, Loganaden Velvindron <loganaden@gmail.com>
In-Reply-To: <CAOp4FwQMcNHRd65U1A+zfT1Xyrqv7+kHU_Lh1tqMGsBQB2LrVA@mail.gmail.com>
References: <CADPMZDB8oXAg0g0oJvZmkK1XPhb28SQPnxwRmL9umzFXkH0ogQ@mail.gmail.com> <2306.1594546601@eng-mail01.juniper.net> <CAOp4FwQMcNHRd65U1A+zfT1Xyrqv7+kHU_Lh1tqMGsBQB2LrVA@mail.gmail.com>
Comments: In-reply-to: Loganaden Velvindron <loganaden@gmail.com> message dated "Mon, 13 Jul 2020 00:23:56 +0400."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <53535.1594666321.1@eng-mail01.juniper.net>
Date: Mon, 13 Jul 2020 11:52:01 -0700
Message-ID: <53536.1594666321@eng-mail01.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(396003)(346002)(39860400002)(46966005)(186003)(5660300002)(54906003)(110136005)(83380400001)(4744005)(7696005)(26005)(4326008)(82740400003)(47076004)(426003)(8676002)(478600001)(8936002)(316002)(86362001)(81166007)(70206006)(70586007)(336012)(82310400002)(2906002)(356005); DIR:OUT; SFP:1102;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5bce5c26-414b-459a-5da2-08d8275dd82d
X-MS-TrafficTypeDiagnostic: BL0PR05MB5634:
X-Microsoft-Antispam-PRVS: <BL0PR05MB563425B77E08E8F7AF46D050BF600@BL0PR05MB5634.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 9HqzYrhTtaulc3V8+CBYLd5bQ/U4Ww1FsDA6/w1/lplzK53YIE5hsnVSa1sbKSkS4CBffQ1p7l/yxMxcS3cXH26hD2lVf0X0+7ns8jSAjE3aJEBvW2Ntr0sP1rshsPlZJQ66s2zuEM8sdMQ27HgXIviQL0hYSAwaykuAlSLC94/jLNUNrX7GMkMRdZ56vpBOP+hygRie5xZrSgzgNnQnD1yXLfa/dS7JKztpkOZUJcV8z8F01bJRzGSeOticpQQdrkb1qN9OxveXlzFh8QNCA2Lzv6mACbtsjBIj21pPO+DGSZEFqFuwg3m3IBkUbOTNVEHO1Oaojq48ZuTZaJp8oLPnE8CUGHppj2fvtFSVks/D248NM1mN3y4MqVC91Pg7Pwi2XrEtbesG4dhfMUF57g==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jul 2020 18:52:08.4109 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5bce5c26-414b-459a-5da2-08d8275dd82d
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM05FT012.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB5634
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-13_16:2020-07-13, 2020-07-13 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1011 malwarescore=0 bulkscore=0 impostorscore=0 priorityscore=1501 phishscore=0 mlxscore=0 suspectscore=1 mlxlogscore=444 adultscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007130134
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/2mjHezIkd19cK-5eJY_3yhypwd0>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 18:52:26 -0000

Hi Folks,

I have updated a new revision of draft-ietf-curdle-ssh-kex-sha2-11 for
your review which gives a survey of the Key Exchange Algorithms for
Secure Shell.

The current revision does NOT have any 'MUST' implement algorithms, but
does provide 'SHOULD NOT' for most of the algorithms using sha1.

As I understand it, the following are candidates for MUST:

  * diffie-hellman-group14-sha256
    [It is not clear to me how much longer 2048-bits will be considered
     strong enough.]

  * curve25519-sha256

  * ecdh-sha2-nistp256
    [Some folks are not happy with the current ECDH curves.]

I would look for discussion on the list about which Key Exchange
Algorithms are Mandatory to Implement going forward.

Fwiw: I will be attending the IETF 108 virtual conference, I believe
there will not be an IETF Curdle meeting.

	Be safe, stay healthy,
	-- Mark