[IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-safecurves-05: (with COMMENT)
Tero Kivinen <kivinen@iki.fi> Thu, 13 October 2016 12:04 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7457412943B; Thu, 13 Oct 2016 05:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLf_XcL0tQrx; Thu, 13 Oct 2016 05:04:35 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E8D129426; Thu, 13 Oct 2016 05:04:31 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9DC4I8R014998 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 13 Oct 2016 15:04:18 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9DC4IqM026752; Thu, 13 Oct 2016 15:04:18 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22527.30786.897423.123891@fireball.acr.fi>
Date: Thu, 13 Oct 2016 15:04:18 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <147635944969.2874.17979129045296855264.idtracker@ietfa.amsl.com>
References: <147635944969.2874.17979129045296855264.idtracker@ietfa.amsl.com>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 10 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/CnfIILafDWDV0UYSCkSoMbdjCCg>
Cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-safecurves@ietf.org
Subject: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-safecurves-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 12:04:39 -0000
Stephen Farrell writes: > Stephen Farrell has entered the following ballot position for > draft-ietf-ipsecme-safecurves-05: Yes > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > - Sorry if I'm forgetting how we handle this in IPsec, > but is an implementation of this RFC expected to support > both curves? I think it'd be ok to say that 25519 is a > MUST for folks doing, this but that 448 is optional. I'm > also fine if we mean that implementing this means you > have to support both btw but you don't say (here) that > that's the case. In IPsec we do not specify any requirement levels in the actual algorithm documents. The algorithm documents just allocate the IANA numbers and specify how they algorithms are used. Then we have separate documents (new versions soon to be in front of IESG) specifying the actual mandatory to implement algorithms. Whether some implementation supports this new RFC is something that does not have well define answer, as people could say they implement this RFC if they support one or other, or both curves. Usually people are just saying they support algorithm RFC if they support one algorithm from there. I.e., vendors usually say they support RFC2451, even if they only support 3DES from there, and might not support CAST-128, RC5, IDEA and Blowfish. Anyways the mandatory to implement ciphers are specified in the rfc4307bis [1] and rfc7321bis [2]. These curves are not mentioned there, so they are still going to be MAY. When we are going to update 4307bis again then we are most likely going to make them SHOULD+ or even MUST (if there is enough implementations actually implementing them at that point). [1] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc4307bis/ [2] https://datatracker.ietf.org/doc/draft-mglt-ipsecme-rfc7321bis/ -- kivinen@iki.fi
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Stephen Farrell
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Tero Kivinen
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Yoav Nir
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Stephen Farrell