IETF Logo Mail Archive

Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 15 September 2017 20:42 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE12132944; Fri, 15 Sep 2017 13:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEfgt8CsDnpV; Fri, 15 Sep 2017 13:42:19 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCD8126E64; Fri, 15 Sep 2017 13:42:19 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id i195so2141417pgd.9; Fri, 15 Sep 2017 13:42:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=98YHEnWOi7GU7T0vDelO+OjFtqQKVHYrUiTgjP05XYc=; b=DVBVKNu2/CW0Z29ZMQXib/5aNSyVjuopoiN64zreW8D9HWuXaWYXcbG/IthO0wmpSh I9FY83QgmticiAONz7swwQITOLmWQET8SAHI6k9T8SlhEHauDgb4ZLNtVj1L5iJ+bhqq ahWaMpk2GDaQnW8WTWntgYwV40eW0/bZGExpsQMuYbkdFccVkMWxyr+c9XXdBf0XN0ku o8HwZBIo70AIijFEUJPHIC0VcjZCVzZND0XMr2J6F9wjjSA4hBG0Lv3tSpAkniwPqdT2 r5b87eMWEUD8CYn8XpLaMMLfUzbcF9OApYTbXp5580n4bV1/GARdzIfMJPM6kLToqqCz mPgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=98YHEnWOi7GU7T0vDelO+OjFtqQKVHYrUiTgjP05XYc=; b=hGr6YT8FlQ9rmCF3R6FKIlF7u7RD1BXfqtS4VKjXDJW5eMApx4ybJjL16TCWQcP5ea SO6Hy5FaCpSOQa90Y2eEp5vDJ0p4eoMAPBn4ecw313LcP3b5k/+FaM14pNSFLt+JxDH8 kiNc77A02JrN3wYtXwOAgrj12UCZeLQ2QP5MVWs5CB3M6DjXbfLVh6VmhUQDn2OSQb7v yTvQXv3BR/joaz970MwUS0V2PDEAcwP7fAzTSPmBWThEZKZMagO1v3arEyPvjyTU8Oc+ +CHNKZGjdALkwFCa7BDHEgXin0QVGlpgJTX4tVZ6qAfksVDnJsd722X629cz6RV7/YCn xK5A==
X-Gm-Message-State: AHPjjUhhVv6lj8XgeRfIL6q8TEarH1i4xy6HsC8ntVTEp6ayuDJmcvUO 5TRpk7HUXwkdD76OjDJwdaeBFBUyBvFAXPycMc0=
X-Google-Smtp-Source: AOwi7QD00gLLR4YNHOW6GL6kDS2s1VUiIj8BzMKGFBRROD+jE7rnqdZqrhWmsgA5+V30rEb5t+XrfqD5PflX7kgEfZ8=
X-Received: by 10.98.103.89 with SMTP id b86mr854303pfc.319.1505508138869; Fri, 15 Sep 2017 13:42:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.144.1 with HTTP; Fri, 15 Sep 2017 13:41:38 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 15 Sep 2017 16:41:38 -0400
Message-ID: <CAHbuEH7O=v2k7UWH-nw-+G80oW7q-pK=F7vxB91BfLRuGsXCJw@mail.gmail.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: "Salz, Rich" <rsalz@akamai.com>, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Loganaden Velvindron <logan@hackers.mu>, draft-ietf-curdle-ssh-dh-group-exchange <draft-ietf-curdle-ssh-dh-group-exchange@ietf.org>, curdle <curdle@ietf.org>, curdle <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/miovg_K-FzrWta-neYCCE86Rz3M>
Subject: Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2017 20:42:21 -0000

Hi Mark,

On Fri, Sep 15, 2017 at 3:59 PM, Mark D. Baushke <mdb@juniper.net> wrote:
> Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes:
>
>> Mark,
>>
>> Thanks for your detailed response, I appreciate it.  Inline.
>
> Trimmed response, likewise inline.
>
>> On Fri, Sep 15, 2017 at 2:25 PM, Mark D. Baushke <mdb@juniper.net> wrote:
>> > Salz, Rich <rsalz@akamai.com> writes:
>> >
>> Embedded equipment is a tough problem.
>
> Yes.
>
>> So for this, your worried about new purchases.
>
>> If it's already purchased, then we are talking an audit issue and
>> possibly not having funds to buy some million dollar piece of
>> equipment that happens to support less than 2048.
>
> Well, one hopes that with a million dollar piece of equipment, there is
> a support cotract and a way to update the software in that box.

One would think, but that's a real example and nothing could be done.
It's not uncommon either.

>
> I was more concerned with needing to sell software to manage thousands
> of very low price embedded devices and still be able to inter-operate
> between the management station and the devices.
>
> For example, a conformant implementation that MUST use 2048 bit keys,
> but needs to talk to a device only able to use 1024 bit keys has a
> problem. Likewise if the embedded devices only support
> diffie-hellman-group1-sha1 as they were two small and slow to manage
> with diffie-hellman-group14-sha1 when deployed as a read-only device.
>
> Does my management station get to talk to those old devices when MUST is
> present and exact conformance to the specification is mandated?

OK, thanks for providing that example, it's helpful and I see your
point better now.

>
>> Hmm, in the past, I've done thing to mitigate threats like isolating
>> such hosts when the threat warranted measures. I see your point, I'm
>> just trying to walk through real instances of issues to make sure we
>> are considering options well.
>
> Yes, and I really appreciate that we are getting this into the archive.
>
>> > For draft-ietf-curdle-ssh-dh-group-exchange, RFC4419 does not use the
>> > word "MUST" for the current 1024 bit value. So, in this case, just
>> > updating a SHOULD from a SHOULD seems reasonable to me. If it were a
>> > MUST, then I would probably advocate for SHOULD NOT as the step down.
>> >
>> > For example, I would have no objection to adding text which says that
>> > the min value in the SSH_MSG_KEY_DH_GEX_REQUEST SHOULD NOT be less than
>> > 2048.
>> >
>> > fwiw: I also suspect that 2048 will not survive more than another couple
>> > of years and would not mind saying that "n SHOULD be 3072 or greater". I
>> > do not believe that view is accepted by everyone, so 2048 bits is what
>> > is in place for now.
>>
>> Hmm, than it would be good to make a note of this so those who are
>> replacing embedded equipment make the leap to a higher value than
>> 2048.  This can be in the non normative text.
>
> So, using words like 'desirable' rather than recommended or should?
> I guess that might be a way to approach it for this particular draft.
>
> I am less certain how to deal with the more general issue of algorithm
> deprecation in the security area. Guessing wrong can be very expensive.
>
>> There are a few published RFCs (I think some CMS RFCs) that took on a
>> notion of SHOULD - and SHOULD + as well as MUST + MUST -.  I see the
>> JOSE algorithms RFC also uses recommended + and recommended -.  The
>> minus shows that although this is kinda okay now, it really isn't
>> recommended and shouldn't be in new products.
>
> Yes, I had used that in early drafts of draft-ietf-curdle-ssh-kex-sha2
> and eventually removed it due to comments not liking it.

Hmm, I still see a table with the SHOULD, MUST, etc. listed out for
that draft?  I don't see the use of SHOULD +/-, MUST +/- and think it
might help in cases like this draft where you have mushy guidance.

I still think some warning that 2048 as the minimum recommendation may
change to 3072 or greater in a couple of years should be in a non
normative statement for developers to plan ahead as a minimum.

>
>> Do you think that approach could help to allow some flexibility, but
>> also show 1024 is on it's way out the door and 2048 will follow soon?
>
> I do not think that moving to 'a min value of 2048  SHOULD+ be used'
> will do much to help this particular case.

I would actually be recommending min value of SHOULD - as it will not
be recommended in a few years and is on a decline.  SHOULD + typically
indicates that it will be required as a MUST next, whereas in this
case, it will be deprecated in a few years.

Thanks,
Kathleen

>
>         -- Mark



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email