Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15

Daniel Migault <> Wed, 18 January 2017 03:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 67C46129671; Tue, 17 Jan 2017 19:31:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.356
X-Spam-Status: No, score=-5.356 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id amuWps5yynNL; Tue, 17 Jan 2017 19:31:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1DE15129667; Tue, 17 Jan 2017 19:31:09 -0800 (PST)
X-AuditID: c618062d-aa3ff70000007359-73-587ee82ce1dd
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id FF.83.29529.C28EE785; Wed, 18 Jan 2017 04:59:42 +0100 (CET)
Received: from ([]) by ([]) with mapi id 14.03.0319.002; Tue, 17 Jan 2017 22:31:07 -0500
From: Daniel Migault <>
To: Phillip Hallam-Baker <>, "" <>, "" <>
Thread-Topic: SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
Thread-Index: AQHScTITQ6RpQiOoUUSWM42jvxKGBaE9kcMg
Date: Wed, 18 Jan 2017 03:31:06 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C11800730Deusaamb107erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRmVeSWpSXmKPExsUyuXRPrK7ei7oIg7frxC1mv3rEZDHxw2xG iw8LH7I4MHtcWP2VyWPJkp9MAUxRXDYpqTmZZalF+nYJXBmfTuxhLriVVLH34mqWBsaGhC5G Tg4JAROJpv8r2LsYuTiEBNYzSvQc62QESQgJLGeUWHeQHcRmEzCSaDvUD2aLCGxjlPjeawBi CwvYSfy808EEEbeXmPtqPZRtJLH05VkWEJtFQFXi7ISjYDN5BXwltp97xAYxP0Di/ZTzYHFO gUCJKRe+g8UZBcQkvp9aAzaHWUBc4taT+UwQhwpILNlznhnCFpV4+fgfK4StJPHx93x2iPp8 iVdbPkDtEpQ4OfMJywRG4VlIRs1CUjYLSdksRg6guKbE+l36ECWKElO6H7JD2BoSrXPmsiOL L2BkX8XIUVpckJObbmSwiREYLcck2HR3MN6f7nmIUYCDUYmHt8CwLkKINbGsuDL3EKMEB7OS CG/PfaAQb0piZVVqUX58UWlOavEhRmkOFiVx3rjV98OFBNITS1KzU1MLUotgskwcnFINjPyJ EY0BWS+sTc7ZHvn+vl/qwrbFFm1XdUr9uC2/P17cunmzXNrNQy3JNY4Xpi/Wd/teJnrmdY/G 9An1kq5/C2p++l0Ud9l5rH7HrkczYvRt9tZIrxGuWNtcLucS3nDnQ3C7mEpM6tkgkRU8ZyLu H/m773nrlr3vJIxXz5p2q3qf95608s6Dj5RYijMSDbWYi4oTAUvygM2SAgAA
Archived-At: <>
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Jan 2017 03:31:11 -0000

Hi Phillip,

Thanks for the review. Next iterations should see that number reduced a bit more … ;-)


From: [] On Behalf Of Phillip Hallam-Baker
Sent: Tuesday, January 17, 2017 9:25 PM
Subject: SECDIR review of draft-ietf-ipsecme-rfc4307bis-15

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

STATUS: Ready with one minor typo.

My personal taste would be to reduce the number of algorithms by half. But that is not practical given the history so this is the best we can do in the circumstances.


 Sec 3.4

   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater

   are not safe-primes.  The seeds for these groups have not been