IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

Damien Miller <djm@mindrot.org> Tue, 13 September 2016 17:47 UTC

Return-Path: <djm@mindrot.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D04FA12B487 for <curdle@ietfa.amsl.com>; Tue, 13 Sep 2016 10:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y_m5kk1RYscp for <curdle@ietfa.amsl.com>; Tue, 13 Sep 2016 10:47:24 -0700 (PDT)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by ietfa.amsl.com (Postfix) with ESMTP id DDAB112B451 for <curdle@ietf.org>; Tue, 13 Sep 2016 10:47:23 -0700 (PDT)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DHlLbu044848; Wed, 14 Sep 2016 03:47:22 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DHlLYM063728 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Sep 2016 03:47:21 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u8DHlLsw020734 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Wed, 14 Sep 2016 03:47:21 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id EA78CA4F32; Wed, 14 Sep 2016 03:47:20 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id E5ED9A4F2E; Wed, 14 Sep 2016 03:47:20 +1000 (AEST)
Date: Wed, 14 Sep 2016 03:47:20 +1000
From: Damien Miller <djm@mindrot.org>
To: "Mark D. Baushke" <mdb@juniper.net>
In-Reply-To: <41049.1473653352@eng-mail01.juniper.net>
Message-ID: <alpine.BSO.2.20.1609140340320.58455@natsu.mindrot.org>
References: <41049.1473653352@eng-mail01.juniper.net>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1473788842
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/n7u1LVByKLNu7Q9wPATpbYRtMy8>
Cc: Curdle <curdle@ietf.org>, IETF SSH <ietf-ssh@NetBSD.org>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 17:47:27 -0000


On Sun, 11 Sep 2016, Mark D. Baushke wrote:

> I have split out a new draft draft-ietf-curdle-ssh-modp-dh-sha2 [1]
> (called "new-modp" in the Reference table below) forked from the
> draft-ietf-curdle-ssh-kex-sha2-04 draft. It specifies the new MOD DH KEX
> Groups that use SHA-2 hashes. This edition specifies both the new
> diffie-hellman-group* names of the -04 revision as well as adding the
> gss-group* names.
> 
> Before I update draft-ietf-curdle-ssh-kex-sha2-05 to point to it, I
> would like to take a straw poll of which algorithms (if any) should be
> defined as a MUST to implement. My personal preference was just
> curve25519-sha256. However, at least a few implementors have said that
> they were not planning to do any ECDH implementations. So, I am guessing
> that "diffie-hellman-group14-sha256" may be the only one that everyone
> might be able to agree is a MUST to implement.

I agree with your choice in MUST. Two other nits:

> Key Exchange Method Name              Reference     Note
> curve25519-sha256                     ssh-curves    MUST
> curve448-sha512                       ssh-curves    MAY
> diffie-hellman-group-exchange-sha1    RFC4419       SHOULD NOT
> diffie-hellman-group-exchange-sha256  RFC4419       MAY
> diffie-hellman-group1-sha1            RFC4253       SHOULD NOT
> diffie-hellman-group14-sha1           RFC4253       SHOULD
> diffie-hellman-group14-sha256         new-modp      MUST
> diffie-hellman-group15-sha512         new-modp      MAY
> diffie-hellman-group16-sha512         new-modp      SHOULD
> diffie-hellman-group17-sha512         new-modp      MAY
> diffie-hellman-group18-sha512         new-modp      MAY
> ecdh-sha2-nistp256                    RFC5656       SHOULD
> ecdh-sha2-nistp384                    RFC5656       SHOULD
> ecdh-sha2-nistp521                    RFC5656       SHOULD
> ecdh-sha2-*                           RFC5656       MAY
> ecmqv-sha2                            RFC5656       MAY

Has anyone ever implemented this? AFAIK the motivation for this was
MQV being included in NSA Suite B at the time, but it was subsequently
dropped. IMO if nobody is using it then it should be recommended
against. I.e. SHOULD NOT

> gss-group14-sha1-*                    RFC4462       SHOULD
> gss-group14-sha256-*                  new-modp      SHOULD

IMO these two should be MAY. Most implementations don't support
GSSAPI key exchange at all.

Thanks for your patience in wrangling this.

-d

v2.23.0 | Report a Bug | By Email