IETF Logo Mail Archive

Re: [IPsec] Secdir telechat review of draft-ietf-ipsecme-ikev2-multiple-ke-10

Valery Smyslov <svan@elvis.ru> Wed, 30 November 2022 07:16 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20761C14CF1D; Tue, 29 Nov 2022 23:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id msOH65uECEk3; Tue, 29 Nov 2022 23:16:22 -0800 (PST)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B17C14CF1A; Tue, 29 Nov 2022 23:16:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5V1L5r59ZaIBm4g/iKBxKzas7FgsMryzFZpNs9S5sVU=; b=QoO9SGSeBc+pY5yp9xhAUDolmD uti7qCj+kymAFQIAgMoqAimxhZN6OM5i9fyd6Oh3xNlubJ3Jh777UzxgqgXupXVTmg/GluC9IaKjW JiEC+SdFokAbR37f1MRgvRGys9X6hMFmS1ScUdd/tNaYK/eEkTFtxS8olw5B0DNy+QtE=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p0HKK-000165-SR; Wed, 30 Nov 2022 10:16:17 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p0HKK-0006J6-N8; Wed, 30 Nov 2022 10:16:16 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 30 Nov 2022 10:16:16 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Wed, 30 Nov 2022 10:16:16 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Sean Turner' <sean@sn3rd.com>
CC: secdir@ietf.org, draft-ietf-ipsecme-ikev2-multiple-ke.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <166965793078.574.10550949979516489683@ietfa.amsl.com> <142b01d903ec$aab1bb40$001531c0$@elvis.ru> <676E400B-B8EA-421A-A1DB-45EC588965D0@sn3rd.com>
In-Reply-To: <676E400B-B8EA-421A-A1DB-45EC588965D0@sn3rd.com>
Date: Wed, 30 Nov 2022 10:16:18 +0300
Message-ID: <153f01d9048b$a40e0dd0$ec2a2970$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI1ZguzHNDFkMcw9AvJ7PFZKpKXygHIeMPYAhsJXK2tfx6CYA==
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/11/30 06:37:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/11/30 02:40:00 #20626459
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Kq8XP19Kk1pMD9fS8GJwIuvmwaI>
Subject: Re: [IPsec] Secdir telechat review of draft-ietf-ipsecme-ikev2-multiple-ke-10
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 07:16:27 -0000

Hi Sean,

[snipped]

> > I'm not sure the DEs have enough qualification to judge whether the proposed
> > algorithm is good or bad with its cryptographic properties. I believe it is the CFRG's task
> > to bless algorithms and the DEs should only pay attention to is whether
> > the proposed algorithm meets the protocol restrictions (and those are
> > listed in Section 4.1 for the DEs).
> 
> Valery you’re not giving yourself and Tero enough credit ;) 

:-)

> But, you did say exactly what I hoped you
> would say, in that the CFRG is going to evaluate the alg. Note sure if this needs to be documented.

In my opinion it is not needed. While CFRG generally evaluates most of algorithms
that populate this registry, some of them could be added without this evaluation.
I mean those algorithm that were specified outside of IETF or published via ISE 
(I'm here speaking as author of RFC 9227 and draft-smyslov-ike2-gost).

In IPSECME we have RFC 7321 and RFC 8247 that list the currently recommended algorithms,
and these RFCs are updated from time to time, because even CFRG "blessing" is not eternal :-)

Regards,
Valery.

v2.23.0 | Report a Bug | By Email