Re: [IPsec] RFC4307 update

Daniel Migault <daniel.migault@ericsson.com> Mon, 05 October 2015 12:16 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3191AC425 for <ipsec@ietfa.amsl.com>; Mon, 5 Oct 2015 05:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8j2Zlp1qEjEJ for <ipsec@ietfa.amsl.com>; Mon, 5 Oct 2015 05:16:09 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 738471AC422 for <ipsec@ietf.org>; Mon, 5 Oct 2015 05:16:09 -0700 (PDT)
X-AuditID: c618062d-f79ef6d000007f54-f4-56120a431349
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id 54.47.32596.34A02165; Mon, 5 Oct 2015 07:27:31 +0200 (CEST)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.03.0248.002; Mon, 5 Oct 2015 08:16:07 -0400
From: Daniel Migault <daniel.migault@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] RFC4307 update
Thread-Index: AQHQ+e8o8QBswXZNPk2wGpoCC0p1n55SW9cAgAAbMgCAACNMAIAKQAZw
Date: Mon, 05 Oct 2015 12:16:06 +0000
Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C11216BB62@eusaamb107.ericsson.se>
References: <22025.15464.790587.801082@fireball.acr.fi> <23473.1443455828@sandelman.ca> <341A30F0-786A-48E5-BC03-C79420E4C1B8@gmail.com> <15982.1443469248@sandelman.ca>
In-Reply-To: <15982.1443469248@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.10]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJLMWRmVeSWpSXmKPExsUyuXRPrK4zl1CYwds2dYv9W16wWfQc6me3 WHrsA5MDs8fOWXfZPZYs+cnk0TJnD3MAcxSXTUpqTmZZapG+XQJXxuFj3UwF88QqNv7exNrA eEW0i5GTQ0LARGJR2w82CFtM4sK99UA2F4eQwFFGidZXm9khnGWMEp+7PjCDVLEJGEm0AS0F sUUE/CRmzT0C1s0soCpxd/9UVhBbWEBZYuHSZcwQNSoSk/ctg6p3k9j26w9YPQtQvGfrdqA4 BwevgK/EzHYBiF3rGCXuTjzLBFLDKaAj8WviLLA5jEDXfT+1hglil7jErSfzmSCuFpBYsuc8 M4QtKvHy8T9WCFtJYtLSc6wg85kFNCXW79KHaFWUmNL9EOwcXgFBiZMzn7BMYBSbhWTqLISO WUg6ZiHpWMDIsoqRo7Q4tSw33chgEyMwbo5JsOnuYNzz0vIQowAHoxIP7wMDwTAh1sSy4src Q4zSHCxK4rz7l9wPFRJITyxJzU5NLUgtii8qzUktPsTIxMEp1cDYXsj5c1X5LIb4yfc6NcoE k3W36PAW1NryK8r/fR76onB/s4fvf29Vrn7W/FlGnBfFnku8u96xS/ybyN24r8s2HhHddJ1l UhbXQ7aJoSuPGjHu6mczPcp1gvlJiqQ63wNn6T8Tl1xsDd4vGdm631AtR/PPzcPrAh5LPNFc F3yVw53Vep56ULYSS3FGoqEWc1FxIgBjdDX6fAIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/FVmfpWrVYrffwnl2WmJMHmMdoag>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] RFC4307 update
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 12:16:11 -0000

Hi, 

There is a need to have that kind of document for 3GPP/SA3. Unless someone has already written the update, I can provide one by the end of the week.

BR, 
Daniel   

-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Michael Richardson
Sent: Monday, September 28, 2015 3:41 PM
To: Yoav Nir
Cc: ipsec@ietf.org
Subject: Re: [IPsec] RFC4307 update


Yoav Nir <ynir.ietf@gmail.com> wrote:
    >> Tero Kivinen <kivinen@iki.fi> wrote:
    >>> We did update cryptographic algorithms for ESP and AH
    >>> (RFC4305->4835->7321), but we have never updated the RFC4307.
    >>
    >>> I think there should be update for that document too, as it now
    >>> defines following madantory to implement algorithms:
    >>
    >>> 1024 MODP Group, ENCR_3DES, PRF_HMAC_SHA1, AUTH_HMAC_SHA1_96.
    >>
    >>> And I think at least the 1024-bit MODP groupp, and perhaps the 3DES
    >>> also should be changed to something more suitable. For exmple
    >>> 2048-bit MODP group and ENCR_AES_CBC...
    >>
    >> I guess the can-o-worms called ECDSA will show up too as a SHOULD+.

    > Does it have to? 4307 does not mention any signature algorithms. ECDH
    > with NIST curves and/or the new curves might should make an appearance.

Sorry, that's what I meant to write, but my finger slipped.

    >> Does 3DES go to MAY?

    > I think so.

    >> Does SHA1 go to MUST-?
    >>
    >> We hadn't listed SHA2 at all before.  We also have no GCM/CCM things
    >> specified.
    >>
    >> Are we obligted to list them as SHOULD+ for awhile?

    > I think we should reflect what is common/best practice now. AES-GCM is
    > now widely implemented and faster than the combination of AES-CBC and
    > HMAC-SHA-something. I think it’s a prime candidate for MUST. CTR was
    > always uncommon. ChaCha20+Poly1305 is so new that it can't be MUST this
    > iteration. Maybe next time.

Agreed.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-