Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14

"Mark D. Baushke" <mdb@juniper.net> Sun, 28 February 2021 17:26 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A42623A1999; Sun, 28 Feb 2021 09:26:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.447
X-Spam-Level:
X-Spam-Status: No, score=-0.447 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=j4u/kJBk; dkim=pass (1024-bit key) header.d=juniper.net header.b=Z7tZ/8vA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN58C1dJAW-v; Sun, 28 Feb 2021 09:26:47 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6D3E3A1992; Sun, 28 Feb 2021 09:26:47 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11SHPYsa032620; Sun, 28 Feb 2021 09:26:47 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-transfer-encoding : date : message-id; s=PPS1017; bh=yp6HFdJaG1pptgzHF2fjFvVO8cDv6fgQph1UikfkRzk=; b=j4u/kJBkbYBwR6HyGBCGx88jTGd5vehW+2gUq8Etph2Gks63gyZNHq4oqPymX/em3hLU GYkM6QhhI0StKwSHxNJqXOn/BSoghh5yCgP6QKUXr6zZSMfT2Ss0m1N6gGgQCYlHOqH3 uTH29qErOU6ogOKWfo29H3lKnpFcrKj6yuai0rdX3ABY0lzp1N93wih9iaMsX3T6bB4J qC101hS2hRuFtOhZxk3G79ClAWYzuJ+RCvDBh5rT+0T97HlEAklk04+ZincyNd3/ho2r ZhKo23drO/vXLShvM63DVC6OiJA9vBZiLIlJ3N8VBqOiO4G8hux+Hc6VrMSEE/LMpmUd fQ==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2170.outbound.protection.outlook.com [104.47.57.170]) by mx0a-00273201.pphosted.com with ESMTP id 36yp7rsfc3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 28 Feb 2021 09:26:46 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bnaR4L/lu+h7DnLz8WrIIUFg+HF5S6aaxhRnXXai5ieWfqcG87/VwuyBzgnZghaZ6NTKp09YxgrGfgKVYX21AySj23EicQPz+bobR69iuEuBjyYvjn6BRPPIxict2aNpAv8iAMeC7a2jWydJuhX7xr0ITxzCH3gZMQOJRhxZgbFkQscoGMJ8jp/wuwE4HSREZ2YmueKtrvYU2stgzuJj5nvPMm/QUGOLBlWmc8tnqFim6cepQuff2XPDozKTmnd2jSf6nedLXQoGpeaJFBHRwIUGVaj69DaypyYP4RznjTg7InVbgZofbyUzhqbFazS/uYAfz8+CSKYGesU5WnTguQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yp6HFdJaG1pptgzHF2fjFvVO8cDv6fgQph1UikfkRzk=; b=AN4veu7Ltm2oMs9f5rDnZxxiDc7ldP45f8I5A5+GpUYfs4QU+YHIDQaRbahtyYVY6ADL3j+xWZmGozycQ5kauVA8pADxrVM7z03LQ4onuVApDl3HRXOfjnzFQ5olvDE4pA9uOeMSRa0QbQAibMoxzmQ0SWfDcD+ESTKUlFf9e6yQJLseQjVAZum0n/hX9Y906RtxPuBIv3asWnF1QUh2rJFYzEqcOwOzTBiEZ0r29t5saChCeJXDqDf2LiNlcRPI43bAh3uvQ2TID8HF6poCxqgAPTlKur0+KVk5e6Y9WSdDLmsf7Eu+v0s031UOsOPT+cV1yJJNEmOhClIfYb08Tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yp6HFdJaG1pptgzHF2fjFvVO8cDv6fgQph1UikfkRzk=; b=Z7tZ/8vAFW3pjAMKAQhQLQI/+UbnDHOMpaD2F+Mu5MeXSV5KRxorlL2oBPHAr7K2egXiCG/8RsrP4Mkghdz0aJmc1ydl2yPs+QnoO1iqpDCzrQTaN9md6LrB3bVXZXJOgsbRVW+L8fhnAKjiqa3QFVkLhXQHYfzPzi8S0XWBqq4=
Received: from DM5PR19CA0045.namprd19.prod.outlook.com (2603:10b6:3:9a::31) by BYAPR05MB4807.namprd05.prod.outlook.com (2603:10b6:a03:46::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.21; Sun, 28 Feb 2021 17:26:39 +0000
Received: from DM6NAM12FT059.eop-nam12.prod.protection.outlook.com (2603:10b6:3:9a:cafe::a7) by DM5PR19CA0045.outlook.office365.com (2603:10b6:3:9a::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.28 via Frontend Transport; Sun, 28 Feb 2021 17:26:39 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by DM6NAM12FT059.mail.protection.outlook.com (10.13.179.1) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3912.9 via Frontend Transport; Sun, 28 Feb 2021 17:26:39 +0000
Received: from P-EXBEND-EQX-03.jnpr.net (10.104.8.56) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 28 Feb 2021 09:26:38 -0800
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-03.jnpr.net (10.104.8.56) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 28 Feb 2021 09:26:38 -0800
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 28 Feb 2021 09:26:38 -0800
Received: from eng-mail03.juniper.net (eng-mail03.juniper.net [10.108.22.11]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 11SHQbbP027517; Sun, 28 Feb 2021 09:26:37 -0800 (envelope-from mdb@juniper.net)
Received: from eng-mail03 (localhost [127.0.0.1]) by eng-mail03.juniper.net (8.16.1/8.14.9) with ESMTP id 11SHTtNa087905; Sun, 28 Feb 2021 09:29:55 -0800 (PST) (envelope-from mdb@juniper.net)
To: Benjamin Kaduk <kaduk@mit.edu>, =?us-ascii?Q?=3D=3Futf-8=3FB=3FTWFsacWhYSBWdcSNaW5pxIc=3D=3F=3D?= <malisa.vucinic@inria.fr>, Rene Struik <rstruik.ext@gmail.com>
CC: <secdir@ietf.org>, <curdle@ietf.org>, <draft-ietf-curdle-ssh-kex-sha2.all@ietf.org>
In-Reply-To: <20210228010137.GU21@kduck.mit.edu>
References: <161426245763.32636.14586046669535474103@ietfa.amsl.com> <20210228010137.GU21@kduck.mit.edu>
Comments: In-reply-to: Benjamin Kaduk <kaduk@mit.edu> message dated "Sat, 27 Feb 2021 17:01:37 -0800."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 28 Feb 2021 09:29:50 -0800
Message-ID: <87903.1614533390@eng-mail03>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3839a2ad-598c-47d0-08c1-08d8dc0e01fa
X-MS-TrafficTypeDiagnostic: BYAPR05MB4807:
X-Microsoft-Antispam-PRVS: <BYAPR05MB480796AF5B40B9F612049809BF9B9@BYAPR05MB4807.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: P1Y8JhVyBcTfBq2Ju39nxDgMXbaR5aOUQiC6dGSLHeEqa/5FXieVm5ZrAmJe1xReV9OAl16uK80LT1g6UZMvkRe/ldxArp1jUU+hLDEu4uKlK8T90SX4fD9o7iVftV1uJB258fcKcO9k+vIWupIZk8woHmAgWhBwLfyzTtnZRkuZaH16hCRUCpYEfgU+ct7fWXfAr+XZA8HBj1Qt4RQJtivZqfffCX5ZxG2s30g9dpk+x22rn323ECSLNbV+Od7MW3RXLBO01cWPdoL2HkgL+vbF3DiIox3DbkWA8wg1n2OGORFfK5mIYyziP5ZJDGn7ktuzSQCO/GK7BsjuI7x/r+r53iYv0RClS2pgzuvLU4iM2x8OH1lRN+JESMANB45mwN/JlRP5vLF8BV/pcL8xID5lhArC+yB20uaVIb1QHftKQErVAiwiixp0pKSpDb/izGetbq0vegLnJczbG8loNU5JECXx064zFJec7J4pCQu2DFgirRtzTEyzLmgUO7Tba+8MpgPhE+C4M7SBPdW4n3YzeadKHFuAcBK3zyANWbZK4njAt3KCyIqDg6o5qWC2RzjM6yk/WJUb9/qbmaotWZBeMN/47p2tQaWlX6APEM1+MSaAmqGt5zE+KUPgpO0YVpRrMvkblMsNG1e9eZptKMFP03LDDF41ywGAg3qrrCapQmTC7QZ6QRg1SxVLOvnYY56ux7O+7/jM5fjmdYKwsQ==
X-Forefront-Antispam-Report: CIP:66.129.239.12; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(136003)(346002)(376002)(396003)(39860400002)(36840700001)(46966006)(54906003)(86362001)(336012)(8676002)(356005)(70206006)(66574015)(186003)(83380400001)(478600001)(70586007)(9686003)(33716001)(82310400003)(316002)(110136005)(36860700001)(6666004)(81166007)(5660300002)(8936002)(7126003)(82740400003)(26005)(4326008)(47076005)(2906002)(426003)(62816006)(36900700001); DIR:OUT; SFP:1102;
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Feb 2021 17:26:39.2762 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3839a2ad-598c-47d0-08c1-08d8dc0e01fa
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM12FT059.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4807
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-28_07:2021-02-26, 2021-02-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 spamscore=0 impostorscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 clxscore=1011 priorityscore=1501 mlxlogscore=999 malwarescore=0 mlxscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102280148
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/FYc_ZoIuz_E2smNVMnBKP9kqxNk>
Subject: Re: [Curdle] Secdir last call review of draft-ietf-curdle-ssh-kex-sha2-14
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 17:26:51 -0000

[CC- last-call@ietf.org] This message really only addresses specific
review comments...

Hi Ben and Mališa and Rene,

Benjamin Kaduk <kaduk@mit.edu> writes:

> Hi 
> 
> Thanks for the detailed review!
> 
> I can only answer for some of the points, so hopefully Mark can chime in as
> needed.

I will do what I can to address the points raised by everyone.

I do not believe that I can introduce anything about SHA-3 hashing as
that is not being used by Secure Shell key exchanges today and this is
really only a survey of the existing key exchanges.

I will try to do a better job about the objective requirements.

For example, the use of a 2048-bit MODP group with 112 bits of security
is fine to protect a 3des-cbc 112 bits of security symmetric cipher.
However, it is not sufficient to protect an aes128 bit key with 128 bits
of security. Likewise, a SHA-1 hash with 80 bits or less of security is
not really good to protect even the 3des-cbc cipher.

The reason I recommended that a 3072-bit MODP group be used was to
protect aes128 keys. I will try to make that point more explicit.

Thank you for all of the comments. I have to find time to incorporate
them.

With regard to Rene's question about changing Table 6...

Rene wrote:

> Section 1: “This document updates [RFC4250] [RFC4253] [RFC4432]
> [RFC4462] by changing the requirement level ("MUST" moving to "SHOULD"
> or "MAY" or "SHOULD NOT", and "MAY" moving to "MUST" or "SHOULD" or
> "SHOULD NOT" or "MUST NOT") of various key-exchange mechanisms.” - The
> specific updates to these documents are spread out throughout the text
> and pretty hard to grasp. It would be nice to see Table 6 updated, by
> adding the reference RFC that is being updated, alongside the RFC
> specifying the key exchange method, and maybe an old requirement
> level.

Table 6 presently has the kex name, RFC reference, and the
implementation guidance for the method. This is intended to be what
becomes the IANA table for key exchange method names. I am not entirely
sure I understand what is desired. Some methods do not have any language
about MUST, SHOULD, or MAY implement. So, the previous history is not
really defined. This is how the table might look if I list "none" for
those that are not called out in their RFCs:

   +==========================+===========+================+===========+
   | Key Exchange Method      | Reference | Previous       | Implement |
   | Name                     |           | Recommendation |           |
   +==========================+===========+================+===========+
   | curve25519-sha256        | RFC8731   | none           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | curve448-sha512          | RFC8731   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-group-    | RFC4419   | none           | SHOULD    |
   | exchange-sha1            | RFC8270   |                | NOT       |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-group-    | RFC4419   | none           | MAY       |
   | exchange-sha256          | RFC8720   |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC4253   | MUST           | SHOULD    |
   | group1-sha1              |           |                | NOT       |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC4253   | MUST           | MAY       |
   | group14-sha1             |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC8268   | none           | MUST      |
   | group14-sha256           |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC8268   | none           | MAY       |
   | group15-sha512           |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC8268   | none           | SHOULD    |
   | group16-sha512           |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC8268   | none           | MAY       |
   | group17-sha512           |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | diffie-hellman-          | RFC8268   | none           | MAY       |
   | group18-sha512           |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | ecdh-sha2-*              | RFC5656   | MAY            | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | ecdh-sha2-nistp256       | RFC5656   | MUST           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | ecdh-sha2-nistp384       | RFC5656   | MUST           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | ecdh-sha2-nistp521       | RFC5656   | MUST           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | ecmqv-sha2               | RFC5656   | MAY            | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | ext-info-c               | RFC8308   | SHOULD         | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | ext-info-s               | RFC8308   | SHOULD         | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | gss-*                    | RFC4462   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-                     | RFC8732   | SHOULD         | SHOULD    |
   | curve25519-sha256-*      |           |                |           |
   +--------------------------+-----------+----------------+-----------+
   | gss-curve448-sha512-*    | RFC8732   | MAY            | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-gex-sha1-*           | RFC4462   | none           | SHOULD    |
   |                          |           |                | NOT       |
   +--------------------------+-----------+----------------+-----------+
   | gss-group1-sha1-*        | RFC4462   | none           | SHOULD    |
   |                          |           |                | NOT       |
   +--------------------------+-----------+----------------+-----------+
   | gss-group14-sha256-*     | RFC8732   | none           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | gss-group15-sha512-*     | RFC8732   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-group16-sha512-*     | RFC8732   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-group17-sha512-*     | RFC8732   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-group18-sha512-*     | RFC8732   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+
   | gss-nistp256-sha256-*    | RFC8732   | none           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | gss-nistp384-sha384-*    | RFC8732   | none           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | gss-nistp521-sha512-*    | RFC8732   | none           | SHOULD    |
   +--------------------------+-----------+----------------+-----------+
   | rsa1024-sha1             | RFC4432   | none           | MUST NOT  |
   +--------------------------+-----------+----------------+-----------+
   | rsa2048-sha256           | RFC4432   | none           | MAY       |
   +--------------------------+-----------+----------------+-----------+

I am not sure if this table is now too busy to be in the IANA table or
not and ask for suggestions to make the IANA table more useful.

My goal is to upload a -15 revision of the document on or soon after
March 8th when submissions are open again.

	Be safe, stay healthy,
	-- Mark