IETF Logo Mail Archive

Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

"Mark D. Baushke" <mdb@juniper.net> Sun, 12 July 2020 09:38 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C903A0645; Sun, 12 Jul 2020 02:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=F5En43sZ; dkim=pass (1024-bit key) header.d=juniper.net header.b=FRFb+XfT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geiDjumwRXxQ; Sun, 12 Jul 2020 02:38:12 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEFB23A05E2; Sun, 12 Jul 2020 02:38:12 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06C9K41M023784; Sun, 12 Jul 2020 02:38:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : content-transfer-encoding : date : message-id; s=PPS1017; bh=q121CX87K7ToOluEJ+JGQZoDzGWJ3v5fOjmAfPdZico=; b=F5En43sZKZuKAxUej7Lzv6kGD4CZI2JTrN+yV7OGU041BKU8g31NrpEDayNGN1TPB94v bxOg500Sz+wAGmykdxifFbcHSY1iPXgcQF4C4XXcaWLlwJWUODHgiHZQGJpjaU+8LhUs 1EuoNkxwpXsPgI75U9AwGxnTgLoeHc4mouK4txL1MAPBVrMCTLT07ePQ6WxuAxcL2nje d70qd+kFxJG+obcPZQdHYHI3GaE1nlHsd2Fbi7ptjrciiAuxWysVSQMwyGMDAcfTZsKx hTXu8z9foIJRVAIEunaJpjSgCBogH7ckrDgkBeLJYBzDKzi+RM7BoEoQBGeQ+EIEqh75 PQ==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-00273201.pphosted.com with ESMTP id 327bcvgyr8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 12 Jul 2020 02:38:11 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tk5cgD51B+4aTDYxRCcrYhCmDETACeHJC1VHqmkH72rBj71r+5Okp2XpXMSooaaa+cxtrUYA4wpgNQSwoky7mmK+xa7H0mDWSyCHOgfoMuH26YpuWXxlwMTb72QwG5hV5LmrvNQ3kT93ixjqzRagAIV1rPrd+6vQo4HlFMxyE7ta2MqC0nRBMKc2FnXJgF4LZziZe1Mu+SRo9QbXKCilDDsTam5LBO6WMs7QCcpXc/qBtfnTUko8Sz23QluG/iQsatBEEjdFg2+Ew1H8OcNFIs2is5rfGmoP98cugir+9Nmarr5yN5f6rwRAaZMxmRZhTOvJlsWexn6DyzMsOc3pLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q121CX87K7ToOluEJ+JGQZoDzGWJ3v5fOjmAfPdZico=; b=m4W3TOQTakdICCa007HyCHGuQjRApngDgbSQ1RlIvJWpBHI4E6ddCOfK/UDHnxx/RzIIaIpczU/vEav8t+UYxMNKeH/51/tIihvMT9jcr8QcZAdf5YyADNUAZaJWEykmOkr3eBZfgRZdKJIfX2YxjzeLJchSS3ux/xLpbjyZEQJWmJ5eYHxvLtzg90jH50hhNd8guwndlIyP+MfmJ6tnc0h87wDXBazagSUS4KJful1ttbW6Xv18GXedj4P/VNwTteEG5Tma7K/EkHWZDDZdfKmv80WpMFa8UN/Vwp939kzMwX2Bo/E7D2RmuH5stKcGFruL71EnvtgvZ4G/DbiKDw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.13) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q121CX87K7ToOluEJ+JGQZoDzGWJ3v5fOjmAfPdZico=; b=FRFb+XfTqqrUGoIOXLVmq3AuHQ3CnPaeA/5GN9fm2SKS8/NvnbpuKBKyqN+KaDDeEAStVL488RcrEGqSA2p4isHpHfKg7ms7KQGEdqJy4FtyXyKYjSgysA1FCDkGrZhA4LqsBbObXuEIBmKH+inEQ/+GvZvYwzT367BInVRdcqY=
Received: from MWHPR13CA0038.namprd13.prod.outlook.com (2603:10b6:300:95::24) by BYAPR05MB4600.namprd05.prod.outlook.com (2603:10b6:a03:4c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.9; Sun, 12 Jul 2020 09:38:07 +0000
Received: from CO1NAM05FT038.eop-nam05.prod.protection.outlook.com (2603:10b6:300:95:cafe::bd) by MWHPR13CA0038.outlook.office365.com (2603:10b6:300:95::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.9 via Frontend Transport; Sun, 12 Jul 2020 09:38:07 +0000
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.13) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=oreject header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.13 as permitted sender)
Received: from P-EXFEND-EQX-02.jnpr.net (66.129.239.13) by CO1NAM05FT038.mail.protection.outlook.com (10.152.96.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3195.9 via Frontend Transport; Sun, 12 Jul 2020 09:38:07 +0000
Received: from P-EXBEND-EQX-03.jnpr.net (10.104.8.56) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 12 Jul 2020 02:36:43 -0700
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXBEND-EQX-03.jnpr.net (10.104.8.56) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 12 Jul 2020 02:36:42 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 12 Jul 2020 02:36:42 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [10.160.0.88]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 06C9afUH002237; Sun, 12 Jul 2020 02:36:41 -0700 (envelope-from mdb@juniper.net)
To: denis bider <denisbider.ietf@gmail.com>
CC: curdle <curdle@ietf.org>, curdle-chairs <curdle-chairs@ietf.org>
In-Reply-To: <CADPMZDB8oXAg0g0oJvZmkK1XPhb28SQPnxwRmL9umzFXkH0ogQ@mail.gmail.com>
References: <CADPMZDB8oXAg0g0oJvZmkK1XPhb28SQPnxwRmL9umzFXkH0ogQ@mail.gmail.com>
Comments: In-reply-to: denis bider <denisbider.ietf@gmail.com> message dated "Sat, 11 Jul 2020 12:15:10 -0500."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2303.1594546601.1@eng-mail01.juniper.net>
Content-Transfer-Encoding: quoted-printable
Date: Sun, 12 Jul 2020 02:36:41 -0700
Message-ID: <2306.1594546601@eng-mail01.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.13; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-02.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(39860400002)(136003)(396003)(46966005)(8676002)(478600001)(426003)(4326008)(356005)(70586007)(82310400002)(336012)(7696005)(5660300002)(8936002)(70206006)(86362001)(966005)(83380400001)(186003)(54906003)(26005)(82740400003)(2906002)(81166007)(47076004)(6916009)(316002); DIR:OUT; SFP:1102;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ff8c8fc6-7621-4782-55dc-08d826474876
X-MS-TrafficTypeDiagnostic: BYAPR05MB4600:
X-Microsoft-Antispam-PRVS: <BYAPR05MB460082C6ECEBD54B33A06C33BF630@BYAPR05MB4600.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4z0Ce7zVcUIvm4dhySLHHO+BeEhR8OCQwkDE0MRe2bC7E/XEuaugmwCRg/TQvJ2Gl5Qj67WFUH5SEtwPyjchf5eMX/CwgfqCBmKT5Ud0J5M1tpODqc7ccPlH6a3HAtGHIKiM+IrZjgYiaIi1/ZTFxnV8lW/O/BD0KNJHGjlr03EhmQYIzNvMsxtTrevX8xl5cc1hOVOtJiD26NBKr5Df5HjPe6zzq2+SKY3En+GO1EAxW8kYGVsf0gNxMK8h2fiBKsYylsmmmuzNcWpd6BcwRFEKkiMcN6CvTT+kytY23oVUkciXWpwT0qYxycRlkUmP1673w3Npm5ZS+KBXPOdGIHnotyiDFQuGI0/gJyItnZcmid5+O1uWnqh8JlwNsKjW8P7RtcLCmM1H30zRlc5DMhsnPvcnjobalZGxToYcghHBqL8HP1YhyzL47f6ZPc+hQsabK3+4VuCjx3X7w3/agZTWmCy+ifb6NYKLhKA/eTc=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2020 09:38:07.2203 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ff8c8fc6-7621-4782-55dc-08d826474876
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.13]; Helo=[P-EXFEND-EQX-02.jnpr.net]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM05FT038.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4600
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-12_01:2020-07-10, 2020-07-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 spamscore=0 malwarescore=0 adultscore=0 mlxscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 bulkscore=0 priorityscore=1501 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007120074
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/SELOXZPKhJ67arNd14b8QGWpv_Y>
Subject: Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2020 09:38:15 -0000

Hi denis,

denis bider <denisbider.ietf@gmail.com> writes:

> Hey everyone,
> 
> I notice the following draft has not moved forward:
> 
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
> 
> This seems to be an important draft which would standardize the
> current use of key exchange algorithms in SSH. However, it looks like
> no changes have been made in 2.5 years?

Correct.

> Did I miss some event where this draft morphed into something else so
> that I'm not seeing the right information about progress?

I have not progressed the draft, mostly due to private email received
over two years ago...

A number of people told me to not move it forward until after all of the
RFCs for draft-ietf-curdle-ssh-curves (now RFC 8731) and
draft-ietf-curdle-gss-keyex-sha2 (now RFC 8732) were adopted. Also, many
people were unhappy with the characterizations of the existing
algorithms and my scoring of MUST, SHOULD, and MAY

In addition, there was a general dislike for the references of the NSA
documents provided or the CNSA document reference.

> Otherwise, what seems to be the current obstacle with making progress
> on this?

I think that work on the document is desirable. Does anyone wish to be a
co-author with me?

I would like to see more opinions on the list about which algorithms are
to be 'SHOULD NOT' and which are to be 'MUST' ... in general, I would
like to see this document as a KEX refernce that may be updated every
few years as we learn more about which KEX algorithms are best to use.

My opinion for Section 5 as I write this email today is:

      Key Exchange Method Name             Reference  Implement
      ------------------------------------ ---------- ----------
      curve25519-sha256                    RFC8731    SHOULD
      curve448-sha512                      RFC8731    MAY
      diffie-hellman-group-exchange-sha1   RFC4419    SHOULD NOT
      diffie-hellman-group-exchange-sha256 RFC4419    MAY
      diffie-hellman-group1-sha1           RFC4253    SHOULD NOT
      diffie-hellman-group14-sha1          RFC4253    SHOULD NOT
      diffie-hellman-group14-sha256        RFC8268    SHOULD
      diffie-hellman-group15-sha256        RFC8268    MAY
      diffie-hellman-group16-sha512        RFC8268    MUST
      diffie-hellman-group17-sha512        RFC8268    MAY
      diffie-hellman-group18-sha512        RFC8268    MAY
      ecdh-sha2-*                          RFC5656    MAY
      ecdh-sha2-nistp256                   RFC5656    SHOULD
      ecdh-sha2-nistp384                   RFC5656    SHOULD
      ecmqv-sha2                           RFC5656    MAY
      ext-info-c                           RFC8308    SHOULD
      ext-info-s                           RFC8308    SHOULD
      gss-*                                RFC4462    MAY
      gss-curve25519-sha256-*              RFC8732    SHOULD
      gss-curve448-sha512-*                RFC8732    MAY
      gss-gex-sha1-*                       RFC4462    SHOULD NOT
      gss-group1-sha1-*                    RFC4462    SHOULD NOT
      gss-group14-sha256-*                 RFC8732    SHOULD
      gss-group15-sha512-*                 RFC8732    MAY
      gss-group16-sha512-*                 RFC8732    SHOULD
      gss-group17-sha512-*                 RFC8732    MAY
      gss-group18-sha512-*                 RFC8732    MAY
      gss-nistp256-sha256-*                RFC8732    SHOULD
      gss-nistp384-sha384-*                RFC8732    MAY
      gss-nistp521-sha512-*                RFC8732    MAY
      rsa1024-sha1                         RFC4432    MUST NOT
      rsa2048-sha256                       RFC4432    MAY

The above list of KEX algorithms comes from the IANA ssh-parameters list
URL:
https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-16

Please let me know if I have missed any of the KEX algorithms in the
list.

Of these, I am not sure if rsa2048-sha256 has support for a 'MAY' or if
its lack of use would drive it to a 'SHOULD NOT' in the table.

To be honest, I am really not sure which KEX algorithms should be listed
as Mandatory To Implement (MTI) for key exchanges going forward.

Which diffie-hellman FFC group should be listed as MTI? group14-sha256
or group16-sha512? (I tentatively selected this one). Is that wise?
Should any FFC Diffie-Hellman group size be MTI?

I would like to hear if others on this list believe that
curve25519-sha256 should be a MUST or a SHOULD.

I also do not know if the expired draft-ietf-curdle-ssh-kex-sha2
document should bother to give opinions on any of the KEX options other
than those being deprecated or thrust into MTI. Opinions please?

It seems clear to me that removing the *-sha1* KEX algorithms is a good
idea. I would love to move diffie-hellman-group14-sha1, but I honestly
suspect that some hardware is deployed for which it is the only KEX
algorithm that may still need to be supported... which is the only
reason it is a 'SHOULD' on my list instead of a 'SHOULD NOT' ...

        Be safe, stay healthy,
        -- Mark

v2.23.0 | Report a Bug | By Email