Re: [secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05
Christian Huitema <huitema@huitema.net> Wed, 15 March 2017 01:09 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CAA0129468 for <secdir@ietfa.amsl.com>; Tue, 14 Mar 2017 18:09:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vss_71njgpUE for <secdir@ietfa.amsl.com>; Tue, 14 Mar 2017 18:09:06 -0700 (PDT)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED481293DA for <secdir@ietf.org>; Tue, 14 Mar 2017 18:09:05 -0700 (PDT)
Received: from xsmtp12.mail2web.com ([168.144.250.177]) by mx36.antispamcloud.com with esmtps (TLSv1.2:AES128-SHA:128) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cnxR2-0006x4-Co for secdir@ietf.org; Wed, 15 Mar 2017 02:09:05 +0100
Received: from internal.xmail04.myhosting.com ([10.5.2.14] helo=xmail04.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <huitema@huitema.net>) id 1cnxR0-0003gu-Gl for secdir@ietf.org; Tue, 14 Mar 2017 21:09:03 -0400
Received: (qmail 20328 invoked from network); 15 Mar 2017 01:09:01 -0000
Received: from unknown (HELO [192.168.1.100]) (Authenticated-user:_huitema@huitema.net@[172.56.42.159]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <pwouters@redhat.com>; 15 Mar 2017 01:09:00 -0000
To: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-ipsecme-rfc7321bis.all@ietf.org, pwouters@redhat.com
References: <2927d78d-7293-ba53-4aa3-0351e0a6e7b2@huitema.net>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <b23b258d-bcaa-dc07-9c9b-3d0f0b085a74@huitema.net>
Date: Tue, 14 Mar 2017 18:08:58 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <2927d78d-7293-ba53-4aa3-0351e0a6e7b2@huitema.net>
Content-Type: multipart/alternative; boundary="------------4523A8E5FF303AC99C7468AD"
X-Originating-IP: 168.144.250.177
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.10)
X-Recommended-Action: accept
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49L/N1imVzxQGuMdyq1ILpVFTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXodEeY0nW8ORiOPwbvZ3gVSRcOb18WfxGyg6Om6u4YYm4CEsXX+JLAGfJ2I 9AedaiI5hjoyEb9Oq0NWpyO3vrfYNrJwCbVSZviV1vzVlxiUlT3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSBe34TY+s3lj/RgDQoaICKQ3TFgIfDMShmlQFqCr5hA8xAXSGwpLGc/Znuh3MoIpK0LGMrf2Uz nKq2aEbLwJWA77bRF0J+AL6gRRwFcty0/RGJ+cv73CChOPjKA0/DVd83mzKXD5o/Ia+BqyQ7Q0nt IZ2PVtMHd8bHCmdzlxzVIEgwyGTHIAoNFX+jcW7DGmdE6eBVl9/A6GtGi+mfMSANmjLzCyMdOETT xDqixVDal2Zqxiuap5uKiBpffUsHYsfmkrboF55pyqAvfOP9PRiFk64VFGHGL6a4Aiv0Hpn+svlW gWWsfzmdEBxk/w4+z2XWHxcEeYXaEh7Ip8nBmIzXZwpqT8auRNlXQctohljUCg88OBwlL8z3WodL Hrx14/4LKhBaevb8pkwVq3+XN9bPyjRMyLUEno1frs9vZR0iI5iTGneI1cCMIcE6R6jtJ8btb7sy ltanepIHrA9+HqSAzcyb5coZOTT3LhJUAej3FHNf/tvEsq8ECzFNZ6L8s8pn
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/U5aDGAbGHYkKJiqvXxC_SUNT1Z4>
Subject: Re: [secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 01:09:09 -0000
Adding Paul explicitly, since the forwarding through the draft.all alias does not pass through the gates of redhat. On 3/14/2017 5:54 PM, Christian Huitema wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The document revises RFC 7321. It updates the Cryptographic Algorithm > Implementation Requirements for ESP and AH. The new recommendations > emphasize using authenticated encryption, support for 256 bit keys, > and modern algorithms. The recommendations appear sound, even if there > are some compromises made, in particular in the name of IoT. > > This document is ready for publication as a Proposed Standard, with some nits. > > My first set of nits concerns the keywords "SHOULD+", "SHOULD-" and "MUST-" that the > draft is defining. These keywords would make an interesting update to RFC 6919. I > understand that "SHOULD+" and "MUST-" are already defined and used in RFC 7321, and > that you have at places to say "RFC 7321 said SHOULD+, but we change that to MUST". > So maybe you should just note that "RFC 7321 defines these additional keywords". > Also, you never use SHOULD- in the text, so there is no need to define it. You > only MUST- once, to downgrade "AUTH_HMAC_SHA1_96" from MUST to MUST-. You could save > space in the document by just adding a footnote for the SHA1 entry in the table, > stating that "this MUST means REALLY SHOULD NOT." Or maybe you really want to > update RFC 6919. > > The second set of nits contains manual keying. According to the draft, anyone using > manual keying is punished for doing so, and will only be able to use ENCR_AES_CBC. I > assume that there is WG consensus on that, but the justification that other algorithms > really require IKEv2 is a bit weak. If there is an API to configure encryption with the > results of an IKEv2 negotiation, it could just as well be used with the results of a > manual configuration. Not sure that the definition of algorithms is the best place to > deprecate manual configuration, even if there are some pretty good reasons to do that. > > My last set of nits concerns the relation between this draft and the IANA registry of > Internet Key Exchange Version 2 (IKEv2) Parameters. I understand that we have five states > of specification or recommendation: > * MUST implement and MAY use algorithms such as ENCR_AES_GCM_16; > * SHOULD implement and MAY use algorithms such as ENCR_CHACHA20_POLY1305; > * SHOULD implement and MAY use but only for IoT devices, e.g. ENCR_AES_CCM_8; > * SHOULD NOT implement and MUST NOT use, e.g. ENCR_DES; Presumably, the code > has to be yanked from existing implementations. > * and then MAY implement and MAY use, e.g. ENCR_CAMELLIA_CBC. > But the fifth category is only specified by default, as "those algorithms that > are listed in the IANA registry but not referenced in the draft." I wonder whether there > is a way to express that clearly in the draft. > > -- Christian Huitema > > > > >
- [secdir] secdir review of draft-ietf-ipsecme-rfc7… Christian Huitema
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Christian Huitema
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Paul Wouters
- [secdir] secdir review of draft-ietf-ipsecme-rfc7… Tero Kivinen