Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15

Yoav Nir <ynir.ietf@gmail.com> Wed, 18 January 2017 15:03 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CAA9129476; Wed, 18 Jan 2017 07:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9Sue-7kkq4K; Wed, 18 Jan 2017 07:03:42 -0800 (PST)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06A32126D73; Wed, 18 Jan 2017 07:03:42 -0800 (PST)
Received: by mail-wm0-x244.google.com with SMTP id r144so4714147wme.0; Wed, 18 Jan 2017 07:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DmFaAfU1wxcbLOC0X4FpbmO5+CJODKPfdnDzfDSRtBc=; b=eFEiWaYwWd1ex6AXQYfRTTAuN2way58zp5zjsWr/IvIbQltQDvPKEcBuqyDnDBztTV 7C5wzp1VjasSHOUck1rPxUjtinbJ+1PVP504lHZSSAAwNZqsmMppjH0PJrZDcdx9eMMA 9rnBGXBy09nHAWpgcRwbCMeYlyaL6dp6pMJYrbdH2bex9mOhK3QTj4ONqn7v8vPzrmbu hunAmCJ2u0MM+GpU1IOsVQHrNDjdHbHwABIX37xfWnvSVIioa9qPQA1wLTwWz5iHCKMY LEmG0eCpo6/G/GJSBimQNkm/2Tr8VeK6hTcXzxWPmEgG0+ZbTTkkNxEx+4xs8sm8yadc GTHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DmFaAfU1wxcbLOC0X4FpbmO5+CJODKPfdnDzfDSRtBc=; b=sw2tqL2USoZ+XxCDSj2hnNFzxeD3ok06f6gZKxMtUmlqPf93hK6f2ou+LvCFGzhR4j MEJxSlp07UnueUNl9nhpWfiiKLMN49BHItzz1aZPIF0CDjY0gSNoElv7kjZAQs90v5Ca 5Tz1kCfm1tIKzA5nv6d54SGmMKPKeaNdqWe+PLJ6rx4gPnm4D0qC7/hiR9cZhYrPaauw +pCvWj+/ByC+uSBA3J+Fv/7QO86BNpXjXr056WBd2FiMJhPhOJuw9ZpZJabOrox0fpLh 705A8lb07Gk1DO9JVNu4zd9c0MfKF+aLZx1pWi0hPwqZ00UJOmER2CR4cqXZUwGiEJEQ de9A==
X-Gm-Message-State: AIkVDXJgKC+6C2E4ZuTGg3Ue9qcS91toKrYIg+CqY0ELlGFt1kTRloIUuxtSGDI73vUhig==
X-Received: by 10.28.217.83 with SMTP id q80mr12074830wmg.58.1484751820468; Wed, 18 Jan 2017 07:03:40 -0800 (PST)
Received: from [172.24.250.243] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id k11sm5446545wmb.18.2017.01.18.07.03.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jan 2017 07:03:39 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <2E57FFB8-20ED-410D-A5E4-21ED72270BA8@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A9F9750D-F8FA-4333-A777-303EAE8453B7"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 18 Jan 2017 17:03:34 +0200
In-Reply-To: <CABrd9SSCB6FszYp=PkGY6EnjYzjBKeEDbaqs4_Yb5R1eMmy6Sw@mail.gmail.com>
To: Ben Laurie <benl@google.com>
References: <CAMm+Lwi7EnH0tMPS5+CX_-xZMKEr08vtN0207biWxMik4V-XZw@mail.gmail.com> <CABrd9SSCB6FszYp=PkGY6EnjYzjBKeEDbaqs4_Yb5R1eMmy6Sw@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/z34afvZX4PrBQdsdlOVa7eq8Z3A>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, draft-ietf-ipsecme-rfc4307bis.all@ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 15:03:44 -0000

> On 18 Jan 2017, at 14:42, Ben Laurie <benl@google.com> wrote:
> 
> Aren't we supposed to be deprecating 5114 primes?

Sure:

   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
   are not safe-primes.  The seeds for these groups have not been
   publicly released, resulting in reduced trust in these groups.  These
   groups were proposed as alternatives for group 2 and 14 but never saw
   wide deployment.  It has been shown that Group 22 with 1024-bit MODP
   is too weak and academia have the resources to generate malicious
   values at this size.  This has resulted in Group 22 to be demoted to
   MUST NOT.  Group 23 and 24 have been demoted to SHOULD NOT and are
   expected to be further downgraded in the near future to MUST NOT.

This is what deprecation looks like

Yoav


> 
> On 18 January 2017 at 02:24, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>> 
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>> 
>> STATUS: Ready with one minor typo.
>> 
>> 
>> My personal taste would be to reduce the number of algorithms by half. But
>> that is not practical given the history so this is the best we can do in the
>> circumstances.
>> 
>> 
>> 
>> Typos
>> 
>> Sec 3.4
>> 
>>   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
>>   are not safe-primes.  The seeds for these groups have not been
>> 
>> 
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>