IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-08.txt

Tero Kivinen <kivinen@iki.fi> Fri, 25 November 2022 14:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1BCC14CE45 for <ipsec@ietfa.amsl.com>; Fri, 25 Nov 2022 06:18:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeFe3eGBlizn for <ipsec@ietfa.amsl.com>; Fri, 25 Nov 2022 06:18:41 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04168C14CE42 for <ipsec@ietf.org>; Fri, 25 Nov 2022 06:18:39 -0800 (PST)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 3E47C20316; Fri, 25 Nov 2022 16:18:36 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1669385916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WbZbLk5DHPFgUWelc+XuPC5ws1h3CYPRhW3zz4a+DHo=; b=Qej5AwvURZpCsMlwqHrXTpQ9AiXuiE2vUQPoPaHw0PlyszCL0k1HP9CPbKo1XGqUW7o7JC 3yaNAO1VoXLH7ZAkm3OVnhxv2ii6G7SilPVfdCw0Y7jVFjBLav4WNeGWXNzfKFU+wIPGs2 0p5osP8OyLGJpbvkPKBwA5YdsJafpuA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1669385916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WbZbLk5DHPFgUWelc+XuPC5ws1h3CYPRhW3zz4a+DHo=; b=OmuLP9ivsgkDDDznODZCGawQJAU00YWPW7hD3ELgGulH19kjy3nmii+TUI9FeTtnVJf/j7 IkQGVX16ueVFhcfLEnq4wm0zPo6fDT7lcO8kDhh2rc07fZx7H3Ai7pGrqMrIvNKwutajXM 0Lu9HCXsxH7e99h3xlcJaDQhne6TX3I=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1669385916; a=rsa-sha256; cv=none; b=eAATG1XBnUxenuBrN6sav7yIEkmyQHTarJdt1ue6OSaf6knWRowYGOOmNgLlFfUNKhDVDz yxfmxVUJAyRs+ocRS28FjQaCjjHS+Tumx3qUSjDpqLzj91gppm5uiHlElYLFq5I5Oaekgw KR+EvxnxCmLJ7Q7naM+YPGOOI7ImcLc=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 963FB25C12E5; Fri, 25 Nov 2022 16:18:35 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25472.52923.521347.410043@fireball.acr.fi>
Date: Fri, 25 Nov 2022 16:18:35 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <HE1PR0701MB30505060DBB3825689F04703890F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <166878243717.63383.13722856524693664615@ietfa.amsl.com> <d5250375-e220-6b1c-ca6f-357d6c12674a@nohats.ca> <25470.3527.51755.35718@fireball.acr.fi> <HE1PR0701MB30505060DBB3825689F04703890F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 3 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IxgylUk_3FGFcxBZHhJ7sr0kkqY>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 14:18:45 -0000

John Mattsson writes:
> Not too late to change. According to NIST, 2048-bit MODP Group and 224-bit
> Random ECP Group are MUST NOT use if the information you are protecting have a
> lifetime longer than 8 years (2031 - today). 1024-bit MODP is two security
> levels below that. I think IETF in generally way to slow if deprecating stuff.
> I would love to see the following deprecated as well:

I.e., if your information needs only to be protected for few months,
those smaller groups should be ok...

Also note, that IETF does not give recommendations of the policy of
which algorithms users should be using.

IETF is giving recommendations of which algorithms are in actual
implemenations. If we deprecate some algorithms that means that the
implementations will remove support for that algorithms at some point.
I.e., then we are taking options away from users and they can't use
them even if they would be completely suitable for them in their
environment. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email