Re: [secdir] [IPsec] I-D Action: draft-harkins-brainpool-ike-groups-00.txt

Tero Kivinen <kivinen@iki.fi> Wed, 29 August 2012 14:45 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 971AB21F8525; Wed, 29 Aug 2012 07:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.716
X-Spam-Level:
X-Spam-Status: No, score=-102.716 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8qQg7Y8MdvH; Wed, 29 Aug 2012 07:45:25 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9639F21F8528; Wed, 29 Aug 2012 07:45:24 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id q7TEjMo9018138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Aug 2012 17:45:22 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id q7TEjLTK012338; Wed, 29 Aug 2012 17:45:21 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20542.11009.577257.29490@fireball.kivinen.iki.fi>
Date: Wed, 29 Aug 2012 17:45:21 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Dan Harkins" <dharkins@lounge.org>
In-Reply-To: <6c1ddd2baf1480f6e7abeab6ac618402.squirrel@www.trepanning.net>
References: <20120809010519.15222.89232.idtracker@ietfa.amsl.com> <503CAA6F.30302@ieca.com> <9035196F-001D-4E15-B6D6-30B59BEBBB01@cs.tcd.ie> <73F8581B-716F-4466-8F6B-645206789C5E@checkpoint.com> <DDAF3F15-4C72-4CC9-AC4D-29D7496A7BD3@mimectl> <f78fae22050825d0da20c332fc4136d4.squirrel@www.trepanning.net> <503CEC59.9080601@gmail.com> <d27c02a7ccb21b129b59b4f81a986490.squirrel@www.trepanning.net> <DC26318D-4A8E-4935-91A5-A3BA716174BF@vpnc.org> <6c1ddd2baf1480f6e7abeab6ac618402.squirrel@www.trepanning.net>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 12 min
X-Total-Time: 12 min
Cc: IPsecme WG <ipsec@ietf.org>, secdir <secdir@ietf.org>
Subject: Re: [secdir] [IPsec] I-D Action: draft-harkins-brainpool-ike-groups-00.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2012 14:45:25 -0000

Dan Harkins writes:
> > I was with you until that last phrase. It most certainly is an
> > IKEv1 code point discussion.
> 
>   If you insist that the registry say "not for IKEv1" then the
> code points are not for IKEv1 and any discussion about code points
> that are not for IKEv1 is not an IKEv1 code point discussion.

That registry is for IKEv1. Meaning ANY changes to those registries
are still IKEv1 issues. Regardless whether we say that those points
are not for IKEv1 use.

Are you saying that if I want to add 2000 new cipher suites to TLS
registry (from the Specification Required space) and say that they are
not for TLS use, I do not need to ask anything from the TLS working
group?

So I myself at least do consider this to be also IKE issue even when
the groups are not for IKEv1 use, just because it changes IKEv1
registry. 

>   Please rephrase your wants into specific comments on the draft that
> I can then accept, counter, or reject. And please do not send them to
> the IPsecME list because, as you said, this "is *not* an IPsecME WG
> issue" (emphasis yours).

Remove the completely stupid "5. Insecurity Considerations" containing
your own biased opionions of the reality.

Add proper note why these things are to be added at all.

You say in the section 1 that "Other pprotocols, ...", but do not
point out any other than IEEE802.11, is there some other protocols
referencing this registry than the IEEE802.11? Also it would be better
to say that in the IEEE 802.11 only the SAE uses this registry. Also
how widely supported SAE is? I have not seen it in any of the user
interfaces for wlan systems I have configured at?

Also the point that these groups are not for IKE is bit misleading
when the title says IKE, and abstract talks about adding groups to
"registry established by Teh Internet Key Exchange (IKE)", but does
not point out that it is not for that protocol at all...

> > Whether or not you want to do those, I want the ADs to decide whether it
> > is appropriate to do more work on IKEv1, such as adding these curves to
> > the IKEv1 registries. If they think the work is appropriate, they can also
> > say where it should be done.
> 
>   They already did; you were there.

I was there too, but I think I missed it too.

Can you tell me what did they decide? Is it approriate to do any more
work on IKEv1? And if so where should it be done?
-- 
kivinen@iki.fi