IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-08.txt

Daniel Migault <mglt.ietf@gmail.com> Mon, 28 November 2022 18:22 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BD43C1526E3 for <ipsec@ietfa.amsl.com>; Mon, 28 Nov 2022 10:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sxxRhVj6gO6 for <ipsec@ietfa.amsl.com>; Mon, 28 Nov 2022 10:22:42 -0800 (PST)
Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF412C1526E5 for <ipsec@ietf.org>; Mon, 28 Nov 2022 10:22:35 -0800 (PST)
Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-12c8312131fso14044842fac.4 for <ipsec@ietf.org>; Mon, 28 Nov 2022 10:22:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o4Udk/CYYLOqEz6pN/5Ts1AWBJ7iPDmUM6VZEVH/xT4=; b=icxDDunrJ3MxQhuJQlb5F9wGXvgJH9Zdrio0aVF+vAmTLyyViUXWOw8X1D2vYwH7RF Ga9tQQcA1TOk5vZjGzNwTqtKf7ov+87V6o2s1644z+xsPwoDH19cS7urvtDaaFDfQuLG G2Dj/vf0YeO5BLxwknlTUnBVAmDh0+HZJ1SY9Uap6EKqkNLRPC/ucM3M4JuFm0pKgyTA SoAII2AeZuF65DZPNQ5v7pUF/zapFaA0GCYrY40xI3RzTY442P4o7oyvq00NSM/PW3OM VxNvBn8R8XWqkNgLc6YJwriEZpP4G7uISGLI58ox/wDN9wn/sPtaXfW+n3bEvpMV8z2f EMww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o4Udk/CYYLOqEz6pN/5Ts1AWBJ7iPDmUM6VZEVH/xT4=; b=8AsIF3nRJ/vJwc3Ox3m9rYZrO6ET8nVxOovPFC40wQH2b7dv7BhTBBMcFsx5iOa1Zz tj1PcsPhY5ai0ZoDemotGflRRJPv7QcZ+DDRFNaFr3wmpT+pTvHDZZwdgxq/CSixDw0w 5BY1Y5L61vziWOAnr3GXOLIcTtPTgrMWfmj94Yu1p+WqRS40+ge3i/bwmwJ680NWoxQB VRJpTzNw92SATIyYI4z5TfOeDhqba8WAXk3ij6bx5XxLPb8IaLJsaEYYpsSS1jeQj8Y9 q+K76frGN+ZmvvD2/x7lsB3KtNlJ928WMNtfdPazmJsaO5hpVGlQGCpjpfwESFR9GuuQ 80PA==
X-Gm-Message-State: ANoB5pmYEz7MK34G3I9N6Qggr043PBsL8s/AEqnl7Eyph6NsuH/OQOkw df6flsth8iAZf22F1t+aBpOtwilaEZ+aEEfAd0WcO1SO
X-Google-Smtp-Source: AA0mqf70CWnb+lGHu/dimqi4hEsoWz3ccFHpHGyVdKTwOoh0HwLKsFw1lAEkS0IzMDKgELbRWMYXgjzjAdZlLiTiYh8=
X-Received: by 2002:a05:6870:591:b0:13b:bbbb:1623 with SMTP id m17-20020a056870059100b0013bbbbb1623mr21695469oap.115.1669659754463; Mon, 28 Nov 2022 10:22:34 -0800 (PST)
MIME-Version: 1.0
References: <166878243717.63383.13722856524693664615@ietfa.amsl.com> <d5250375-e220-6b1c-ca6f-357d6c12674a@nohats.ca> <25470.3527.51755.35718@fireball.acr.fi> <e0b4d346-0b0b-5c33-97c5-1849d89e5e36@nohats.ca>
In-Reply-To: <e0b4d346-0b0b-5c33-97c5-1849d89e5e36@nohats.ca>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 28 Nov 2022 13:22:22 -0500
Message-ID: <CADZyTk=YZE1pEjkZ2RhcuF81YNu2i7HSGJkOETcF2KXJCt6sAw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008f861a05ee8bf4a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nu46Cs9XG5q7bU68Ol1azY-N2zo>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2022 18:22:46 -0000

On Sun, Nov 27, 2022 at 2:03 PM Paul Wouters <paul@nohats.ca> wrote:

> On Wed, 23 Nov 2022, Tero Kivinen wrote:
>
> > I.e., the main reason being that group 2 was only MUST algorithm
> > before, and moving it from MUST to MUST NOT while we do not have any
> > oher algorithms as MUST was considered bad. Also the group is formed
> > inin a deterministic way which should not make it possible that the
> > group is created to be weak from the beginning.
>
> Right, so if we were to update 8247 (post ikev1 historicness), we should
> do:
>
> * AES_GCM_16 from SHOULD to MUST
> * AES_CBC from MUST to SHOULD
> * 3DES from MAY to MUST NOT
>
> * PRF_HMAC_SHA1 from MUST- to SHOULD
>
> * AUTH_HMAC_SHA1_96 from MUST- to SHOULD
>
> It is tempting to speed it up to SHOULD NOT though SHA1 may not be a big
issue there.

> * 1024-bit MODP Group from SHOULD NOT to MUST NOT
> * 1536-bit MODP Group from SHOULD NOT to MUST NOT
>
> Arguably, the SHA1 entries could go to MUST NOT because no one should
> have ever had a need for those for IKEv2.
>
> Paul
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email