IETF Logo Mail Archive

Re: draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

Damien Miller <djm@mindrot.org> Tue, 13 September 2016 18:56 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979A112B02E for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 13 Sep 2016 11:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Level:
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hr8LjaZBEu0B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 13 Sep 2016 11:56:26 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 889F612B054 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 13 Sep 2016 11:56:26 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id A785285EC2; Tue, 13 Sep 2016 18:56:25 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D55D985EB3 for <ietf-ssh@NetBSD.org>; Tue, 13 Sep 2016 18:56:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id b4ZKw7QTF6v2 for <ietf-ssh@netbsd.org>; Tue, 13 Sep 2016 18:56:22 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id D01FF85EAB for <ietf-ssh@NetBSD.org>; Tue, 13 Sep 2016 18:56:21 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DHlLbu044848; Wed, 14 Sep 2016 03:47:22 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DHlLYM063728 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Sep 2016 03:47:21 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u8DHlLsw020734 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Wed, 14 Sep 2016 03:47:21 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id EA78CA4F32; Wed, 14 Sep 2016 03:47:20 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id E5ED9A4F2E; Wed, 14 Sep 2016 03:47:20 +1000 (AEST)
Date: Wed, 14 Sep 2016 03:47:20 +1000 (AEST)
From: Damien Miller <djm@mindrot.org>
To: "Mark D. Baushke" <mdb@juniper.net>
cc: Curdle <curdle@ietf.org>, IETF SSH <ietf-ssh@NetBSD.org>
Subject: Re: draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
In-Reply-To: <41049.1473653352@eng-mail01.juniper.net>
Message-ID: <alpine.BSO.2.20.1609140340320.58455@natsu.mindrot.org>
References: <41049.1473653352@eng-mail01.juniper.net>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1473788842
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list


On Sun, 11 Sep 2016, Mark D. Baushke wrote:

> I have split out a new draft draft-ietf-curdle-ssh-modp-dh-sha2 [1]
> (called "new-modp" in the Reference table below) forked from the
> draft-ietf-curdle-ssh-kex-sha2-04 draft. It specifies the new MOD DH KEX
> Groups that use SHA-2 hashes. This edition specifies both the new
> diffie-hellman-group* names of the -04 revision as well as adding the
> gss-group* names.
> 
> Before I update draft-ietf-curdle-ssh-kex-sha2-05 to point to it, I
> would like to take a straw poll of which algorithms (if any) should be
> defined as a MUST to implement. My personal preference was just
> curve25519-sha256. However, at least a few implementors have said that
> they were not planning to do any ECDH implementations. So, I am guessing
> that "diffie-hellman-group14-sha256" may be the only one that everyone
> might be able to agree is a MUST to implement.

I agree with your choice in MUST. Two other nits:

> Key Exchange Method Name              Reference     Note
> curve25519-sha256                     ssh-curves    MUST
> curve448-sha512                       ssh-curves    MAY
> diffie-hellman-group-exchange-sha1    RFC4419       SHOULD NOT
> diffie-hellman-group-exchange-sha256  RFC4419       MAY
> diffie-hellman-group1-sha1            RFC4253       SHOULD NOT
> diffie-hellman-group14-sha1           RFC4253       SHOULD
> diffie-hellman-group14-sha256         new-modp      MUST
> diffie-hellman-group15-sha512         new-modp      MAY
> diffie-hellman-group16-sha512         new-modp      SHOULD
> diffie-hellman-group17-sha512         new-modp      MAY
> diffie-hellman-group18-sha512         new-modp      MAY
> ecdh-sha2-nistp256                    RFC5656       SHOULD
> ecdh-sha2-nistp384                    RFC5656       SHOULD
> ecdh-sha2-nistp521                    RFC5656       SHOULD
> ecdh-sha2-*                           RFC5656       MAY
> ecmqv-sha2                            RFC5656       MAY

Has anyone ever implemented this? AFAIK the motivation for this was
MQV being included in NSA Suite B at the time, but it was subsequently
dropped. IMO if nobody is using it then it should be recommended
against. I.e. SHOULD NOT

> gss-group14-sha1-*                    RFC4462       SHOULD
> gss-group14-sha256-*                  new-modp      SHOULD

IMO these two should be MAY. Most implementations don't support
GSSAPI key exchange at all.

Thanks for your patience in wrangling this.

-d

v2.8.7 | Report a Bug | By Email