Re: [IPsec] 3GPP question about ECDSA support
Paul Wouters <paul@nohats.ca> Fri, 22 July 2016 17:56 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA3712D7AD for <ipsec@ietfa.amsl.com>; Fri, 22 Jul 2016 10:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3eypusF8R3I for <ipsec@ietfa.amsl.com>; Fri, 22 Jul 2016 10:56:40 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FEC12D16F for <ipsec@ietf.org>; Fri, 22 Jul 2016 10:56:40 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3rwyyG1pLnz2Gq; Fri, 22 Jul 2016 19:56:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469210198; bh=sWD5ipDuTZ852VaIQau3jx+krL0mEPJjKy76aa0BKmo=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=SbOnxzRKo9ULMmchOQ5oQfa5pHaLPbi2Ep7LpXlbzUfay1YvuTZASoMtTfvwUhRJT NOLjXIVgXNYcQLVWXQiFIXOTjMxdvEiF+ZaHDbCUt5XfnsdnZQkr5kkySxFzjffDls Ciu8AkxHDFxxursFOTkDBhxciW7DWg4acZjmDviI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id mgZxSlxNnpDf; Fri, 22 Jul 2016 19:56:36 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 22 Jul 2016 19:56:36 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D11C3393D67; Fri, 22 Jul 2016 13:56:35 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca D11C3393D67
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id BBD5D40D6F5B; Fri, 22 Jul 2016 13:56:35 -0400 (EDT)
Date: Fri, 22 Jul 2016 13:56:35 -0400
From: Paul Wouters <paul@nohats.ca>
To: John Mattsson <john.mattsson@ericsson.com>
In-Reply-To: <D3B8289B.4DC47%john.mattsson@ericsson.com>
Message-ID: <alpine.LRH.2.20.1607221349180.22251@bofh.nohats.ca>
References: <D3B8289B.4DC47%john.mattsson@ericsson.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uKoYy-aRzwfGft2ViU0jAujhook>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Vesa Torvinen <Vesa.Torvinen@ericsson.com>, Vesa Lehtovirta <vesa.lehtovirta@ericsson.com>
Subject: Re: [IPsec] 3GPP question about ECDSA support
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2016 17:56:42 -0000
On Fri, 22 Jul 2016, John Mattsson wrote: > Subject: [IPsec] 3GPP question about ECDSA support > > 3GPP is currently apopting ECDSA for all uses of IKEv2 (older releases > used RSA). My 3GPP SA3 colleagues (cc) have asked me to forward the > question below to the IPSec wg. As discussed in Buenos Aires, 3GPP and > IETF should coordinate more, I hope the IPSec wg can provide valuable > feedback. See https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-07#section-4 While the old style "auth by IKE algorithm number" are still at SHOULD, they will be demoted in the near future because we are promoting using Digital Signatures as per RFC 7427 instead. https://tools.ietf.org/html/rfc7427 As the draft states: RSA authentication, as well as other specific Authentication Methods, are expected to be replaced with the generic Digital Signature method of [RFC7427]. [...] ECDSA based Authentication Methods are also expected to be downgraded as it does not provide hash function agility. Instead, ECDSA (like RSA) is expected to be performed using the generic Digital Signature method. The advantage is that the AUTH algorithm will be negotiated by OID and be independent of any IKE/IPsec RFC's. New standards should really only use 7427 for authentication. ECDSA should be supported via RFC-7427 and not via the legacy IKE algorithm numbers. Paul
- Re: [IPsec] 3GPP question about ECDSA support Paul Wouters
- [IPsec] 3GPP question about ECDSA support John Mattsson