Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14

Mališa Vučinić <malisa.vucinic@inria.fr> Mon, 01 March 2021 14:59 UTC

Return-Path: <malisa.vucinic@inria.fr>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2233A1D9D; Mon, 1 Mar 2021 06:59:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99mCnchjsOw9; Mon, 1 Mar 2021 06:59:11 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E648C3A1D9E; Mon, 1 Mar 2021 06:59:10 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.81,215,1610406000"; d="p7s'?scan'208";a="495484503"
Received: from adsl-46-161-92090.crnagora.net (HELO [192.168.100.4]) ([46.161.92.90]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 01 Mar 2021 15:59:07 +0100
User-Agent: Microsoft-MacOutlook/10.11.0.180909
Date: Mon, 01 Mar 2021 15:59:06 +0100
From: =?UTF-8?B?TWFsacWhYQ==?= =?UTF-8?B?IFZ1xI1pbmnEhw==?= <malisa.vucinic@inria.fr>
To: "Mark D. Baushke" <mdb@juniper.net>, Benjamin Kaduk <kaduk@mit.edu>, Rene Struik <rstruik.ext@gmail.com>
CC: <secdir@ietf.org>, <curdle@ietf.org>, <draft-ietf-curdle-ssh-kex-sha2.all@ietf.org>
Message-ID: <49916660-F237-4BE9-94ED-DE7E41D1B195@inria.fr>
Thread-Topic: Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
References: <161426245763.32636.14586046669535474103@ietfa.amsl.com> <20210228010137.GU21@kduck.mit.edu> <87903.1614533390@eng-mail03>
In-Reply-To: <87903.1614533390@eng-mail03>
Mime-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3697459146_865446808"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/5oo6Hp1ROYn7-wMkbrA8SNo1lCA>
Subject: Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 14:59:14 -0000

Hi Mark,

Thanks, see a couple of comments inline, enclosed within [MV] ... [/MV].

Mališa

On 28/02/2021 18:26, "Mark D. Baushke" <mdb@juniper.net> wrote:

    [CC- last-call@ietf.org] This message really only addresses specific
    review comments...
    
    Hi Ben and Mališa and Rene,
    
    Benjamin Kaduk <kaduk@mit.edu> writes:
    
    > Hi 
    > 
    > Thanks for the detailed review!
    > 
    > I can only answer for some of the points, so hopefully Mark can chime in as
    > needed.
    
    I will do what I can to address the points raised by everyone.
    
    I do not believe that I can introduce anything about SHA-3 hashing as
    that is not being used by Secure Shell key exchanges today and this is
    really only a survey of the existing key exchanges.

[MV] The comment on SHA-3 was really of an editorial nature as the sentence read too general, see the response to Ben for an easy resolution. [/MV]
    
    I will try to do a better job about the objective requirements.
    
    For example, the use of a 2048-bit MODP group with 112 bits of security
    is fine to protect a 3des-cbc 112 bits of security symmetric cipher.
    However, it is not sufficient to protect an aes128 bit key with 128 bits
    of security. Likewise, a SHA-1 hash with 80 bits or less of security is
    not really good to protect even the 3des-cbc cipher.
    
    The reason I recommended that a 3072-bit MODP group be used was to
    protect aes128 keys. I will try to make that point more explicit.
    
    Thank you for all of the comments. I have to find time to incorporate
    them.
    
    With regard to Rene's question about changing Table 6...
    
    Rene wrote:
    
    > Section 1: “This document updates [RFC4250] [RFC4253] [RFC4432]
    > [RFC4462] by changing the requirement level ("MUST" moving to "SHOULD"
    > or "MAY" or "SHOULD NOT", and "MAY" moving to "MUST" or "SHOULD" or
    > "SHOULD NOT" or "MUST NOT") of various key-exchange mechanisms.” - The
    > specific updates to these documents are spread out throughout the text
    > and pretty hard to grasp. It would be nice to see Table 6 updated, by
    > adding the reference RFC that is being updated, alongside the RFC
    > specifying the key exchange method, and maybe an old requirement
    > level.
    
    Table 6 presently has the kex name, RFC reference, and the
    implementation guidance for the method. This is intended to be what
    becomes the IANA table for key exchange method names. I am not entirely
    sure I understand what is desired. Some methods do not have any language
    about MUST, SHOULD, or MAY implement. So, the previous history is not
    really defined. This is how the table might look if I list "none" for
    those that are not called out in their RFCs:

[MV] 
I believe this was a comment I made. The underlying issue here is that when I was going through the doc, I had a hard time understanding the specific updates to the referenced RFCs. The proposal above was a means to resolve that. If you find that too clumsy, feel free to propose any other way of making it explicit what exactly is being updated within those documents.
[/MV]
    
       +==========================+===========+================+===========+
       | Key Exchange Method      | Reference | Previous       | Implement |
       | Name                     |           | Recommendation |           |
       +==========================+===========+================+===========+
       | curve25519-sha256        | RFC8731   | none           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | curve448-sha512          | RFC8731   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-group-    | RFC4419   | none           | SHOULD    |
       | exchange-sha1            | RFC8270   |                | NOT       |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-group-    | RFC4419   | none           | MAY       |
       | exchange-sha256          | RFC8720   |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC4253   | MUST           | SHOULD    |
       | group1-sha1              |           |                | NOT       |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC4253   | MUST           | MAY       |
       | group14-sha1             |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC8268   | none           | MUST      |
       | group14-sha256           |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC8268   | none           | MAY       |
       | group15-sha512           |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC8268   | none           | SHOULD    |
       | group16-sha512           |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC8268   | none           | MAY       |
       | group17-sha512           |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | diffie-hellman-          | RFC8268   | none           | MAY       |
       | group18-sha512           |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | ecdh-sha2-*              | RFC5656   | MAY            | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | ecdh-sha2-nistp256       | RFC5656   | MUST           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | ecdh-sha2-nistp384       | RFC5656   | MUST           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | ecdh-sha2-nistp521       | RFC5656   | MUST           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | ecmqv-sha2               | RFC5656   | MAY            | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | ext-info-c               | RFC8308   | SHOULD         | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | ext-info-s               | RFC8308   | SHOULD         | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | gss-*                    | RFC4462   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-                     | RFC8732   | SHOULD         | SHOULD    |
       | curve25519-sha256-*      |           |                |           |
       +--------------------------+-----------+----------------+-----------+
       | gss-curve448-sha512-*    | RFC8732   | MAY            | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-gex-sha1-*           | RFC4462   | none           | SHOULD    |
       |                          |           |                | NOT       |
       +--------------------------+-----------+----------------+-----------+
       | gss-group1-sha1-*        | RFC4462   | none           | SHOULD    |
       |                          |           |                | NOT       |
       +--------------------------+-----------+----------------+-----------+
       | gss-group14-sha256-*     | RFC8732   | none           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | gss-group15-sha512-*     | RFC8732   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-group16-sha512-*     | RFC8732   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-group17-sha512-*     | RFC8732   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-group18-sha512-*     | RFC8732   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
       | gss-nistp256-sha256-*    | RFC8732   | none           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | gss-nistp384-sha384-*    | RFC8732   | none           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | gss-nistp521-sha512-*    | RFC8732   | none           | SHOULD    |
       +--------------------------+-----------+----------------+-----------+
       | rsa1024-sha1             | RFC4432   | none           | MUST NOT  |
       +--------------------------+-----------+----------------+-----------+
       | rsa2048-sha256           | RFC4432   | none           | MAY       |
       +--------------------------+-----------+----------------+-----------+
    
    I am not sure if this table is now too busy to be in the IANA table or
    not and ask for suggestions to make the IANA table more useful.
    
    My goal is to upload a -15 revision of the document on or soon after
    March 8th when submissions are open again.

[MV] Great, thanks! [/MV]
    
    	Be safe, stay healthy,
    	-- Mark