[Curdle] [Editorial Errata Reported] RFC8270 (5502)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 21 September 2018 21:43 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D926712F1AC for <curdle@ietfa.amsl.com>; Fri, 21 Sep 2018 14:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TX06TKR-GMuc for <curdle@ietfa.amsl.com>; Fri, 21 Sep 2018 14:43:27 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9C31200D7 for <curdle@ietf.org>; Fri, 21 Sep 2018 14:43:27 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id A5FDDB80D5B; Fri, 21 Sep 2018 14:43:22 -0700 (PDT)
To: logan@hackers.mu, mdb@juniper.net, kaduk@mit.edu, ekr@rtfm.com, daniel.migault@ericsson.com, rsalz@akamai.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: eugene.adell@gmail.com, curdle@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180921214322.A5FDDB80D5B@rfc-editor.org>
Date: Fri, 21 Sep 2018 14:43:22 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/962ZA7Gh9nWrKWVfy3oFAW4_tR0>
Subject: [Curdle] [Editorial Errata Reported] RFC8270 (5502)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2018 21:43:29 -0000
The following errata report has been submitted for RFC8270, "Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5502 -------------------------------------- Type: Editorial Reported by: Eugene Adell <eugene.adell@gmail.com> Section: 5 Original Text ------------- A malicious client could cause a Denial of Service by intentionally making multiple connections that are less than 2048 bits in size. Therefore, operating systems SHOULD NOT log DH groups that are less than 2048 bits in size, as it would create an additional attack surface. Corrected Text -------------- A malicious client could cause a Denial of Service by intentionally making multiple connections that are less than 2048 bits in size. Therefore, operating systems without any rate-limited logging SHOULD NOT log DH groups that are less than 2048 bits in size, as it would create an additional attack surface. Notes ----- Instead of ignoring attacks, the administrator wants to know when one is taking place, particularly if it is an intense one which would lead to a denial of service, as suggested by the authors. Thus, using a rate-limited logging mechanism is an appropriate solution to keep records of the attack, and to notify the administrator in real-time then he can take actions if he wants to. As there might not be other ways to inform the administrator of an attack taking place, not logging at all is the last choice. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8270 (draft-ietf-curdle-ssh-dh-group-exchange-06) -------------------------------------- Title : Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits Publication Date : December 2017 Author(s) : L. Velvindron, M. Baushke Category : PROPOSED STANDARD Source : CURves, Deprecating and a Little more Encryption Area : Security Stream : IETF Verifying Party : IESG
- [Curdle] [Editorial Errata Reported] RFC8270 (550… RFC Errata System
- Re: [Curdle] [Editorial Errata Reported] RFC8270 … Mark D. Baushke
- Re: [Curdle] [Editorial Errata Reported] RFC8270 … Benjamin Kaduk
- Re: [Curdle] [Editorial Errata Reported] RFC8270 … Daniel Migault
- Re: [Curdle] [Editorial Errata Reported] RFC8270 … Mark D. Baushke