Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-06.txt
"Valery Smyslov" <svanru@gmail.com> Thu, 07 April 2016 13:17 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C1712D954 for <ipsec@ietfa.amsl.com>; Thu, 7 Apr 2016 06:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.261
X-Spam-Level:
X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxUEs2GCw8Mx for <ipsec@ietfa.amsl.com>; Thu, 7 Apr 2016 06:17:08 -0700 (PDT)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8719B12D92A for <ipsec@ietf.org>; Thu, 7 Apr 2016 06:17:08 -0700 (PDT)
Received: by mail-qg0-x22a.google.com with SMTP id f105so38623188qge.2 for <ipsec@ietf.org>; Thu, 07 Apr 2016 06:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=/0BdEsa0nWCDnFGqBMHOwLPyRngJy96gD7X+/kAfMl0=; b=B7RrEfcm6Uo7dbwWwPoAPOsNNqmQmkekIv4q5bNrUkY/Yuq+X6cnXu7i5cbc/8oLYA X7HR8wHXEVrK9UTD0pMiNAuwRfsDHiDI2H1n/oExP/yGxko937ETHG2u+YZYsEVvJmXV h9Tx5554WlcVMW1owwQbGxO/ceQHdmYMapHdJzXRuXE6qYme/wjHcsWuiucE0AV84HXr MGT/QKSrmSor0WZVs5xj8ylPFGnZl3SEoZIvZfnGvfqjrSrKT7tO2ziXEo18szoJe0wW EfPoz6VowfA+1rmn08aTACkFkbXGAOptrWVKfoHp0ll1od+VwLvF9K5Wh+bYlheNoLgG 5bgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=/0BdEsa0nWCDnFGqBMHOwLPyRngJy96gD7X+/kAfMl0=; b=ZLIclcYCAPD7jSWdXNanVw2rqcTm0VwX0xcDBj4LZB+Ft5NnVjvLq/JpqOVandlJNN GUkgGO9ix/oH9mfy4+x2tcSKz4mWa/Ddnt4rvaqGsIujm3j8CegiKPqa6JRd2W1IfuQ9 M6gUE9jOpNx7tMfGopkJU+JgcJUc0Q78mmbHB6dzR9xA8fmWqdeqs2hXyWWElXsa1l5T CJNThyJn5crgmQZuDeRvbP9GixDKN/kPhIVL3NRyPFUqpvy0Isdrnv1hfHSX/ZhC2H8Q DcTMLEa5T8n4FPvuH2xEaQiwbrSATjNv/6sf9GkqbkMLvEboHJ/HBBghTd7LvdsvJ9Yc EKWg==
X-Gm-Message-State: AD7BkJLKIzm1Js3M8G9rWaovD+KT/s7pKB9wr1lAldJ3ewC2jZfi4SnNMtefyOJwWMZrcQ==
X-Received: by 10.140.87.98 with SMTP id q89mr3550382qgd.8.1460035027465; Thu, 07 Apr 2016 06:17:07 -0700 (PDT)
Received: from notebook ([2001:67c:370:168:4042:b869:58fd:1fcc]) by smtp.gmail.com with ESMTPSA id s67sm3352685qgs.48.2016.04.07.06.17.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Apr 2016 06:17:06 -0700 (PDT)
Message-ID: <F40AD8BE6DDA484FB95ED61653259871@notebook>
From: Valery Smyslov <svanru@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
References: <20160406165945.24993.3487.idtracker@ietfa.amsl.com><22277.20520.264319.773683@fireball.acr.fi><27E13094E90E4AC8BAE9DFF017324AE0@notebook> <22277.35607.896237.279372@fireball.acr.fi>
In-Reply-To: <22277.35607.896237.279372@fireball.acr.fi>
Date: Thu, 07 Apr 2016 10:17:01 -0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/oQ6NGG1WTHKjDiFdfGCdb0PXmso>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-06.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 13:17:11 -0000
After re-reading the draft I think that I'm also a bit unhappy with the way the last table (Section 4.2) is introduced. The draft says that this table is: Recommendation of Authentication Method described in [RFC7427] notation. However, the values from this table are just examples in RFC7427. Why exactly these algorithms were selected for recommendation? What about others (EdDSA, GOST etc)? I understand that the algorithms listed were probably most popular (at least some of them) at the time RFC 7427 ws written. But why continue to maintain this list, when it is just a list of examples in RFC7427? Well, I understand that some recommendations should be given. But probably only those signing algorithms that have non-MAY status should be listed and a note should be added that all others are MAY (that will refer to any unlisted signature algorithm)? What others think? Regards, Valery. -----Original Message----- From: Tero Kivinen Sent: Wednesday, April 6, 2016 7:17 PM To: Valery Smyslov Cc: ipsec@ietf.org Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-06.txt Valery Smyslov writes: > my comments mostly are addressed, thanks. > The one still unaddressed is a strange comment "?SHOULD" in the last table > (Section 4.2). What does it mean? I think that is leftover from our internal discussions, i.e. whether we should mark that ecdsa-with-sha512 as SHOULD instead of MAY. I think MAY is fine, so unless people think we should pick that too with SHOULD, I will remove that in next version. I do not think we need to do it now, we can do the WGLC with the draft we have now, and remove it after that. Other thing I want people to think is whether we should say something else about the AES key sizes, i.e. we now say MUST for 128-bit, MAY for 256-bit and "192-bit keys can safely be ignored." One proposal that was done was to change that MUST for 128-bit, SHOULD for 256-bit, and perhaps even SHOULD NOT for 192-bit. -- kivinen@iki.fi
- [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis… internet-drafts
- [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Paul Wouters