Re: [IPsec] RFC 4307bis
Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 10 November 2015 16:38 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435121A002D for <ipsec@ietfa.amsl.com>; Tue, 10 Nov 2015 08:38:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_INVITATION=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tptykgzGwwy for <ipsec@ietfa.amsl.com>; Tue, 10 Nov 2015 08:38:13 -0800 (PST)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C284D1A0024 for <ipsec@ietf.org>; Tue, 10 Nov 2015 08:38:13 -0800 (PST)
Received: by pabfh17 with SMTP id fh17so1694356pab.0 for <ipsec@ietf.org>; Tue, 10 Nov 2015 08:38:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:references:cc:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=KqOQvak9e1YdwmWwSjhhjSigFUP+7/pYUlxW8TN8/t4=; b=XHwO/1otq7kNCwzdE9l77XfmNjLrECxwBNTlTvJ9GFLC9mdDi0VEZtOgUfUVBJfGyz HGG0yP/mWl2ip7IByXlbgeUyYNbPN7wiQXxvX7Oarm7MxIhy6QgFJEInsX5/RsDy8ETp PHya5oNQWG6dxTHgl0zzb2x/qT86rEawkrirlsqW/k7oswBGmm4iC8DxRNl3409HQxYw HXUPpzP84QXC81ZVBR/BObVHHCp1nwDETGUku5sKY0u7bl5/p/X05k1j6AqlIXCO+81W La86jYlHqJOKyfWWa054A7I+T0V0jC9cR2LU6kD3N1ym+tbEKjErgnB9IpcOZdHA35F7 Qegw==
X-Received: by 10.66.63.37 with SMTP id d5mr7082448pas.103.1447173493319; Tue, 10 Nov 2015 08:38:13 -0800 (PST)
Received: from [192.168.1.129] ([2.54.145.121]) by smtp.googlemail.com with ESMTPSA id bn1sm5005006pad.17.2015.11.10.08.38.10 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 Nov 2015 08:38:12 -0800 (PST)
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Daniel Migault <daniel.migault@ericsson.com>
References: <0748F101-7104-4F07-B440-31A9CF63BE32@gmail.com> <9EBE3C6E-C7F2-4327-B4E2-3363BD96ECC1@gmail.com> <BFE49F4B-944E-4B7F-9327-8AA0FCD4386D@vpnc.org> <CADZyTkkLNbp-D_vOBt-hnq1y+0kz8co77FCyDT-pPup2Hpjo3A@mail.gmail.com> <A0CF7441-A4FF-452E-BC93-94F22F3CB34C@gmail.com>
Message-ID: <56421D6F.7080506@gmail.com>
Date: Tue, 10 Nov 2015 18:38:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <A0CF7441-A4FF-452E-BC93-94F22F3CB34C@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/R9R3-xjKNP0JSZbCaLJsHKth7jM>
Cc: IPsecME WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] RFC 4307bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 16:38:16 -0000
A few comments, sorry for not using GitHub. I think the following text is kinda funny: "IKEv1 is out of scope of this document. IKEv1 is deprecated and the recommendations of this document MUST NOT be considered for IKEv1." We cannot tell people normatively what they can consider and what they cannot. Let's skip the capitalized MUST NOT. The rationale for GCM describes why it's in the table, but seems to argue for a MUST (rather than the SHOULD that's in the table). I guess there's a reason why we don't have MUST, let's spell it out. "As the overhead of AUTH_HMAC_SHA2_512 is negligible": suggest to change to "as the *additional* overhead". I believe we should cite RFC 6194 when recommending against SHA-1. "As it is not being deployed" - I suggest the softer "as it is not widely deployed" - we don't really know that nobody had ever deployed it. "and now it is known to be weak at least for a nation state" - suggest to change to "and now it is known to be weak against a nation-state attacker". Thanks, Yaron On 11/10/2015 12:33 AM, Yoav Nir wrote: > Or for a diff-style view, see the pull request: > https://github.com/ietf-ipsecme/drafts/pull/8/files > > Yoav > >> On 10 Nov 2015, at 12:30 AM, Daniel Migault >> <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>> wrote: >> >> Hi, >> >> You can view the latest changes here: >> >> https://github.com/mglt/drafts/blob/d2d31f6f9f0b4d57c8343826ad23fc546b99a467/draft-ietf-ipsecme-rfc4307bis >> >> We added some text to recommend the status of each recommended algorithms. >> >> On Mon, Nov 9, 2015 at 11:27 AM, Paul Hoffman <paul.hoffman@vpnc.org >> <mailto:paul.hoffman@vpnc.org>> wrote: >> >> On 9 Nov 2015, at 5:48, Yoav Nir wrote: >> >> So I’ve merged the changes and submitted version -01 of the draft. >> >> The stub paragraphs explaining the choices of algorithms are >> waiting to be filled. Please submit pull requests. >> >> https://github.com/ietf-ipsecme/drafts/blob/master/draft-ietf-ipsecme-rfc4307bis >> >> >> This is an invitation to the WG to contribute to to this draft. If >> you are already familiar with GitHub, submit pull requests as Yoav >> said. If you are not yet familiar with GitHub, feel free to send >> text to the mailing list, and one of the authors will quickly >> enter those for you in GitHub. That is, being able to use GitHub >> is *not* required for you to contribute text. >> >> --Paul Hoffman >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org <mailto:IPsec@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipsec >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org <mailto:IPsec@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- Re: [IPsec] RFC 4307bis Tero Kivinen
- [IPsec] RFC 4307bis Yoav Nir
- Re: [IPsec] RFC 4307bis Yoav Nir
- Re: [IPsec] RFC 4307bis Paul Hoffman
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Yoav Nir
- Re: [IPsec] RFC 4307bis Yaron Sheffer
- Re: [IPsec] RFC 4307bis Yoav Nir
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Yaron Sheffer
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Tommy Pauly
- Re: [IPsec] RFC 4307bis Paul Wouters
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Tommy Pauly
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis John Mattsson
- Re: [IPsec] RFC 4307bis Daniel Migault
- Re: [IPsec] RFC 4307bis Tero Kivinen