Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2

Ron Frederick <ronf@timeheart.net> Sun, 16 August 2020 21:00 UTC

Return-Path: <ronf@timeheart.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DBAD3A07A9 for <curdle@ietfa.amsl.com>; Sun, 16 Aug 2020 14:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0IA7H0-SkAq for <curdle@ietfa.amsl.com>; Sun, 16 Aug 2020 14:00:30 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FCBD3A0775 for <curdle@ietf.org>; Sun, 16 Aug 2020 14:00:30 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id t10so6475153plz.10 for <curdle@ietf.org>; Sun, 16 Aug 2020 14:00:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CAQxjJbYSwktVMSYNM1F2258HtFbeWBIJmnPjfVhIv4=; b=Ub7CyZMj9MnYela/9FHTvgbNG+sEkp++yXY68+nlnehrk9VF3/weBs5v618SgZy7bN 5nDGn+aM2dkMqPqq4mfulm5MpTm/Jm1IV72NWrOJEDzybiYbW3Q0h2RhupwFjt9P7kX3 7RROLaHC4ZpNsKfJsEdDmu87IeNCTBeC1hULc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CAQxjJbYSwktVMSYNM1F2258HtFbeWBIJmnPjfVhIv4=; b=Bd67bJCphbzIz0PobLOamErOhnrbnDY9qay0OZ+YiiD5fYxWbXV5reh+VTGB9BvrlK K8sz2w4ZXLfqLkGsPfIXECrk0uacKJJHlYwAVIliqO3oAVHIRnkQtKKCbLEAfYEQaIZa gLvYPkI78qyrh95cDINOb6PuJn0hAFmHf/uaw7MkoXPh1uudQqb/FQBwLtRVXqHQXZud QbbdQAlHPo6Szch7FKaaPvf1izwZHW64GXdcTgCOekXcY5YyUFstsOKp/I+E5jpgAmH5 QuE0OE0zWDjddmzsxTk5T09kghmTV7OQZhTJhXmPWIQtDyMOv9R5FVh6IHhDqp2ku1V9 fdxg==
X-Gm-Message-State: AOAM532ZGvthprj+4KUjusi2dcB99m2hbvgWm05toTHbHhoTJRzRae96 Tn4AiINoY+H7IeX6ToVyvuhjRg==
X-Google-Smtp-Source: ABdhPJw8YV2XIVzCTNypaDHv8mmo+6kdFPjoHul+3P7luU3RDnSWNy1BB/mQuExmR/py+HphBQek0g==
X-Received: by 2002:a17:90b:784:: with SMTP id l4mr9539925pjz.96.1597611629712; Sun, 16 Aug 2020 14:00:29 -0700 (PDT)
Received: from ?IPv6:2603:3024:18fa:4000:18ef:20ad:6833:584c? ([2603:3024:18fa:4000:18ef:20ad:6833:584c]) by smtp.gmail.com with ESMTPSA id w15sm15708749pjk.13.2020.08.16.14.00.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 16 Aug 2020 14:00:29 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Ron Frederick <ronf@timeheart.net>
In-Reply-To: <25423.1596646626@eng-mail01.juniper.net>
Date: Sun, 16 Aug 2020 14:00:27 -0700
Cc: curdle@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D290968F-2733-40CB-918A-452AD74951B6@timeheart.net>
References: <25423.1596646626@eng-mail01.juniper.net>
To: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/r37LUa-KaE4bHrLmijCiPKE4wuk>
Subject: Re: [Curdle] Looking for comments on draft-ietf-curdle-ssh-kex-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2020 21:00:32 -0000

Hi Mark,

On Aug 5, 2020, at 9:57 AM, Mark D. Baushke <mdb=40juniper.net@dmarc.ietf.org> wrote:
> Before IETF-108, I uploaded a new edition of
> 
>  Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
>  https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
> 
> with the hope of
> 
>  a) Providing a survey of existing IANA Secure Shell (SSH) Protocol
>     Parameters for Key Exchange Method Names
>     https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-16
> 
>  b) identifying a KEX to replace the current MUST implement exchanges:
> 
>       diffie-hellman-group1-sha1
>       diffie-hellman-group14-sha1
> 
>  c) the desire to be deprecate any KEX which use sha1 as the secure hash:
> 
>       diffie-hellman-group-exchange-sha1
>       diffie-hellman-group1-sha1
>       diffie-hellman-group14-sha1
>       gss-group1-sha1-*
>       gss-group14-sha1-*
>       gss-gex-sha1-*
>       rsa1024-sha1
> 
>  d) A desire that the IANA KEX parameters contain another column in the
>     table to indicate MUST, SHOULD, SHOULD NOT, MUST NOT, and MAY.
> 
> I have tried to indicate general guidance for the rest of the Method
> Names, but many of the guidelines may be my personal opinion even though
> I have tried to be objective throughout.

This generally looks good to me. Here are a few more detailed comments:

- Sections 3.14 and 3.15 list the ext-info values as SHOULD (which I agree with). However, your table in section 5 has them marked as MAY.

- I noticed you dropped diffie-hellman-group14-sha256 back from MUST to SHOULD, leaving no algorithms listed as MUST. I’d still like to see at least one algorithm be listed as MUST, and think this is probably the safest candidate for that.

- I’m also thinking diffie-hellman-group15-sha512 might be a good candidate for a SHOULD rather than a MAY, but I’m not sure we have consensus on that.

- I agree with the downgrade of diffie-hellman-group16-sha512 from SHOULD to MAY.

- Regarding possible ECDSA algorithms, I implemented the secp256k1 curve as ecdh-sha21.3.132.0.10 in AsyncSSH after seeing it was implemented by Bitvise. I don’t know if it is worth mentioning here explicitly, but it’s one real-world example of an ecdh-sha2-* algorithm not explicitly given a name in RFC 5656. The ‘endsa-sha2’ algorithm with this curve is also supported.
-- 
Ron Frederick
ronf@timeheart.net