Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)

"Black, David" <David.Black@dell.com> Mon, 13 November 2017 09:20 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 526BC129535; Mon, 13 Nov 2017 01:20:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=zC+PT2YL; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=rY29LrIO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xg1W4OBYyncP; Mon, 13 Nov 2017 01:20:52 -0800 (PST)
Received: from esa4.dell-outbound.iphmx.com (esa4.dell-outbound.iphmx.com [68.232.149.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88475129505; Mon, 13 Nov 2017 01:20:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1510564852; x=1542100852; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EC8u7tP2jIjyiCcukDa0+hXw3jYkesfgM5+FPG3NWbk=; b=zC+PT2YL+vXfadT5m3u25PvHlQQKmuNZjec0rP42KdE1u/fOn6OdVWrB jY2Fl2yDzYTV3EEXLj0gwemxKbYf54lDIO/u9r/I9C8hIAuap/huN21MP KGudp9pr3C/1th6zW1Gqa6BAAqcdTYpzARjIxIpdX1af6PbjUM1q8ibBC U=;
IronPort-PHdr: =?us-ascii?q?9a23=3A3svo7BanLc7SxoEcXfXSduL/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZps2/ZR7h7PlgxGXEQZ/co6odzbGH4+a4ASQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7?= =?us-ascii?q?Ovr6GpLIj8Swyuu+54Dfbx9GiTe5Yr5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYe?= =?us-ascii?q?RWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZ?= =?us-ascii?q?TAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hy?= =?us-ascii?q?gbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyxPDJ2h?= =?us-ascii?q?YYsTAeQPPuhYoIv8p1QSohWxChKhBP/0xTJMmnP6wbE23uYnHArb3AIgBdUOsH?= =?us-ascii?q?HModn7KaoSVfq6w7XLzTnbcvhY1y3y6JbJch88r/2HQLV9f8TLxkkxFgPKk0+c?= =?us-ascii?q?pJHhPzyPyusNsHOW4Pd+WuKrj24rsR1+oj+qxso1jITCm4Ebykjc+Ch4w4s5P8?= =?us-ascii?q?O0RUBlbdK+DZddty6XO5FyT84hW21kpTo2xqcbtZKnfCUG0pcqywTCZ/GJc4WE?= =?us-ascii?q?+hzjW/iSLDtkgX9ofbGyihm2/Eiuz+DxVtS730xUoidAj9XAq2sC2hnc58WJSf?= =?us-ascii?q?Zw/kGs0iuV2Q/J8OFLO0U0mLLeK54m37E/iIIesV/GHi/qgEX2i7KWdlk89uio?= =?us-ascii?q?9evnZrLmq4eCOI9vkA7zPb4ildGhDuQ8NggCRm+b+fmg1LL4+k35XbNKgeAonq?= =?us-ascii?q?XDsZDaPcQbpqu2AgNPzokj7BO/Ay+n0NQeg3YHMEpIdROEgoTzJV3DLu70Ae2i?= =?us-ascii?q?j1msnzpn3fTLM775DpXINHfDkbPhfbhn605bzQo+1d5R6IhKCrEAPf3/QFL8tN?= =?us-ascii?q?jCARAlMAy52PvoB8t51oMaQ26AHqiZMKbKvV+S+u0vO/WMZJMSuDvlNvcl/eTh?= =?us-ascii?q?jXElmVMEfKmmw4cXaH6hEvR6P0qZeXvsgtEdHmsTogoxUPTqh0OEUT5UfHuyXr?= =?us-ascii?q?wz5i01CI68CofDXI+tiqSb3CinBp1WenxGCleUHHfpaYqEQPgMZTmTIsB/jjwE?= =?us-ascii?q?W6KtS4g71RGhrAX60aZoLvLI+i0EspLuzMR16PHLlREz8zx7E92R3H2NT25un2?= =?us-ascii?q?MIXSQ20bt+oUNj1leD37J0g/tCFdxc//lJSBs1NYbAz+xmDND/Qh7BccuRSFan?= =?us-ascii?q?RNWpHSo8TtMvzN8SbUZxAdKijgrM33niP7hAu7WVBZB816vO3nXrKt01xmbe1b?= =?us-ascii?q?MslBF8GpIfcDX8w/cnvzDoO8adlkyLlquweL9Z0SDS+G6OzWuBsUwGDwtxW6/G?= =?us-ascii?q?QHBOa02KvMvR+k7HV7i0AK42dwJNxdSPMbAMcdbyy05aTfHtP87SJW+9hjH0TT?= =?us-ascii?q?uSx7jEVofxcGIH2CyVXEUHiSgJ4XiDcwM5A3HyjXjZCWkkP1bmaECoucV3tnK3?= =?us-ascii?q?BAdg4wiUbkEn/b688R09ifGYT7UY2bdS63RpkCl9AFvoh4GeMNGHvQc0OfwEOd?= =?us-ascii?q?4=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2EQAAB5YglamGKa6ERaAQ4LAQEBAQEBA?= =?us-ascii?q?QEBAQEBBwEBAQEBgmaBIxBuJweDd4ofjymBfX6VUhCBPkMKGAuESU8CGoQ0Pxg?= =?us-ascii?q?BAQEBAQEBAQEBAhABAQEBAQgLCwYoL4I4JAENRyEFBgEBAQEBASYBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEXAj0BEgEBGAEBAQECAQEBIREMHwwDCwEEBwQCAQgRBAEBAwI?= =?us-ascii?q?GDwIMAwICAiULFAEICAIEAQ0FCAyKBggBD6togieDEId2AQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBFQMFgQ+CIQSBDhAYUYFWgWiCdTWEZAESASEFMyMBgjcxgjKHYJp?= =?us-ascii?q?JBgKPOYdehgiLJYxmiRECBAIEBQIagTkfgTxvel6CZIJbARAMGYEPP3eGLIEkg?= =?us-ascii?q?REBAQE?=
X-IPAS-Result: =?us-ascii?q?A2EQAAB5YglamGKa6ERaAQ4LAQEBAQEBAQEBAQEBBwEBAQE?= =?us-ascii?q?BgmaBIxBuJweDd4ofjymBfX6VUhCBPkMKGAuESU8CGoQ0PxgBAQEBAQEBAQEBA?= =?us-ascii?q?hABAQEBAQgLCwYoL4I4JAENRyEFBgEBAQEBASYBAQEBAQEBAQEBAQEBAQEBAQE?= =?us-ascii?q?XAj0BEgEBGAEBAQECAQEBIREMHwwDCwEEBwQCAQgRBAEBAwIGDwIMAwICAiULF?= =?us-ascii?q?AEICAIEAQ0FCAyKBggBD6togieDEId2AQEBAQEBAQEBAQEBAQEBAQEBAQEBFQM?= =?us-ascii?q?FgQ+CIQSBDhAYUYFWgWiCdTWEZAESASEFMyMBgjcxgjKHYJpJBgKPOYdehgiLJ?= =?us-ascii?q?YxmiRECBAIEBQIagTkfgTxvel6CZIJbARAMGYEPP3eGLIEkgREBAQE?=
Received: from esa4.dell-outbound2.iphmx.com ([68.232.154.98]) by esa4.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2017 03:20:51 -0600
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa4.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2017 15:20:50 +0600
Received: from maildlpprd05.lss.emc.com (maildlpprd05.lss.emc.com [10.253.24.37]) by mailuogwprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vAD9KkIq031730 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 13 Nov 2017 04:20:48 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com vAD9KkIq031730
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1510564849; bh=o12u2Ef7yw2W5t7C4+5NkfEfoZQ=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=rY29LrIOI+1UVI7o5ZJEVT3cM/c8u6H0fNjBSBaqxOoIm/2QT1BGHZSOxjQXYLvcd LpajrIjxHEtWQN4MWUkts+NGshf9bXN9gIZu/u4X6h/+qqip6oXD+0KB6ocWpgKh6P y4zUwPSZKgAR4XKzv6LIwFuZngeMJo5Bnv+f/yy8=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com vAD9KkIq031730
Received: from mailusrhubprd54.lss.emc.com (mailusrhubprd54.lss.emc.com [10.106.48.19]) by maildlpprd05.lss.emc.com (RSA Interceptor); Mon, 13 Nov 2017 04:20:30 -0500
Received: from MXHUB319.corp.emc.com (MXHUB319.corp.emc.com [10.146.3.97]) by mailusrhubprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vAD9KYIs021455 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Mon, 13 Nov 2017 04:20:35 -0500
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB319.corp.emc.com ([10.146.3.97]) with mapi id 14.03.0352.000; Mon, 13 Nov 2017 04:20:34 -0500
To: David Mazieres expires 2018-02-10 PST <mazieres-efwdaehigee67mibbkuh9en4yw@temporary-address.scs.stanford.edu>, Eric Rescorla <ekr@rtfm.com>
CC: "tcpinc@ietf.org" <tcpinc@ietf.org>, Kyle Rose <krose@krose.org>, "tcpinc-chairs@ietf.org" <tcpinc-chairs@ietf.org>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, "draft-ietf-tcpinc-tcpeno@ietf.org" <draft-ietf-tcpinc-tcpeno@ietf.org>
Thread-Topic: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)
Thread-Index: AQHTWpFI+r6/uZGf7EaERFdyZEp+YKMQLzowgABZgQCAACMUgIAAAKYAgAAE5YCAANlEoIAAWgoA//+w/FCAAKv8gP//vj6A
Date: Mon, 13 Nov 2017 09:20:34 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FD4D450@MX307CL04.corp.emc.com>
References: <151036581280.449.10740505473540594433.idtracker@ietfa.amsl.com> <CE03DB3D7B45C245BCA0D243277949362FD495EF@MX307CL04.corp.emc.com> <CABcZeBPfk6Pi=_UPvTBaS9jQBYjExUdqkdX5Q--iUuyCv_qZtw@mail.gmail.com> <CAJU8_nWpVhm4oTT+SLyG-nk=ww7nBU-DaVe86rUU-LGGqJvHvQ@mail.gmail.com> <CABcZeBO0TD0KnpTfe6CbHUoiS=FmGiGW6r_mFMH_9bYFWKqKLA@mail.gmail.com> <CABcZeBNp=1c1cx0+nJezjWy_Q4N9-PUeQuqOU_k7A7KhRj18EQ@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD4BB57@MX307CL04.corp.emc.com> <CABcZeBPL2mVFtsL77Bdr=BUf7cb+qe_+Wxq42AtoohHmSmJaCg@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD4BDAB@MX307CL04.corp.emc.com> <877euu7hy0.fsf@ta.scs.stanford.edu>
In-Reply-To: <877euu7hy0.fsf@ta.scs.stanford.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.105.8.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd54.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/n_Lqo8fnmeCkN8K8o5nCPgEBc9U>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 09:20:56 -0000

Hi David,

Separating and labelling topics ...

--[1]-- TEP encryption security strength

> First, I'm not sure I understand your criticism about permit
> the negotiation, as we would expect most TEPs to engage in some sort of
> cipher suite negotiation.  

This is entirely editorial about word choice - "permit the negotiation" sounds like a runtime requirement to me, whereas this section is entirely design requirements.  Using "support" instead of "permit the negotiation of" is among the ways to make this clearer, IMHO.

> Second, why make this more complicated with the SHOULD 128?  Can we just have a 120-bit requirement?

I think this is a "show your work" situation.  I'd expect a 120-bit requirement by itself to induce a fair amount of "where did that number of bits come from?" head scratching, starting from the inability to find a 120 bit security strength in SP 800-57.  Independent of wording and keyword choices, there appear to be two things going on:
	a) We want TEPs designed to at least 128 bits of strength.
	b) We're willing to accept a few bits less if necessary, but not many bits less.
I think both need to be stated for clarity, although I'm not attached to the precise words used, e.g., lower case "should" instead of "SHOULD" seems reasonable for the 128 bit design requirement.  One advantage of using a "SHOULD" for the 128 bits of strength is that it invokes RFC 2119's requirement that "the full implications must be understood and carefully weighed before choosing a different course."

--[2]-- Cross-TEP security considerations for "vanity crypto"

> The security considerations paragraph is trying to make a different
> point from the one in section 5.1.  Section 5.1 says you MUST provide
> all this stuff as an input to your hash function.  Section 10 says that
> hash function MUST not be weird "vanity crypto."  In other words, it may
> be reasonable to use vanity crypto for key negotiation or session data
> encryption, because that only affects the security of one TEP.  However,
> the session ID hash function potentially affects *all* TEPs because if
> it's broken, it will permit negotiation rollback attacks to deprecated
> TEPs--even when both sides prefer a more secure TEP.

I would write what is meant/wanted here as opposed to assuming that the rationale behind the MUST will be clear to all future reviewers.

> I want to make clear that the session ID hash function choice
> needs extra scrutiny to prevent this point from being lost on future
> generations of IETF & IESG reviewers.  I don't have to make it a MUST if
> that seems really problematic.  But I also don't just want to reiterate
> the same point as section 5.1, which is I think what your proposed
> language does.

Text along those lines would be clearer, including stating that reviewers are an intended target audience.   Writing that text would be better than discussing the text that I wrote.  Guidance to security reviewers is a fine thing to put in Security Considerations.

--[3]-- IANA registry policy for TEP registry

> Final point:  I only have a tcpcrypt review from Barry Leiba.  Should I
> apply his suggestion of "IETF review" instead of "RFC Required"?  I
> originally wanted "Specification Required" because I thought the
> designated expert review it implied would be sufficient.  Mirja talked
> me up to "RFC Required," which I thought was more strict.  However, does
> the RFC Required not in fact demand any kind of expert review?  (Looking
> at RFC8126, it doesn't seem to.)  I would be perfectly happy with an
> IRTF or Independent Submission stream RFC so long as a designated expert
> agrees the document is not a waste of a code point.

This is somewhat in tension with the previous topic - how much review is sufficient to ensure that a weak TEP doesn't impact the security of all others?  The degree of review increases from Specification Required to RFC Required to IETF Review - if the need to ban potentially flawed vanity crypto hashes in TEPs is serious, then IETF Review seems justified, even though it imposes process costs on getting new TEPs approved.  In all cases, IANA will have a designated expert to advise on the registration, "RFC Required" adds the IESG taking a look, and IETF Review adds a lot more attention from the IETF security community.   More eyes tend to find more things ...

Thanks, --David

> -----Original Message-----
> From: Tcpinc [mailto:tcpinc-bounces@ietf.org] On Behalf Of David Mazieres
> Sent: Monday, November 13, 2017 2:32 AM
> To: Black, David <david.black@emc.com>om>; Eric Rescorla <ekr@rtfm.com>
> Cc: tcpinc@ietf.org; Kyle Rose <krose@krose.org>rg>; tcpinc-chairs@ietf.org;
> Black, David <david.black@emc.com>om>; Mirja Kuehlewind (IETF)
> <ietf@kuehlewind.net>et>; The IESG <iesg@ietf.org>rg>; draft-ietf-tcpinc-
> tcpeno@ietf.org
> Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13:
> (with DISCUSS and COMMENT)
> 
> "Black, David" <David.Black@dell.com> writes:
> 
> > I found something useful, as it turns out that I’ve seen this before in dealing
> w/another draft …
> >    o  TEPs MUST NOT permit the negotiation of any encryption algorithms
> >       with significantly less than 128-bit security.
> > To begin with, “permit the negotiation” is somewhat off, as this is a design-
> time requirement for TEP security strength.  Fortunately, NIST SP 800-57 part
> 1 covers the notion of “security strength” in significant detail, so citing that
> should provide clarity on that concept.  That leaves the concern about how
> not to lose AES-128 if an attack is discovered that knocks a few bits off of its
> security strength.  Here’s a suggestion with the full rationale:
> > o  TEP encryption SHOULD have a security strength [SP800-57part1] of at
> least 128 bits and MUST have a
> >    security strength of at least 120 bits.  The intent of this requirement is to
> allow use of encryption
> >    algorithms designed for 128 bit security strength if attacks should be
> discovered that weaken their
> >    security strength by a few bits.
> > I suggested 120 bits here as being halfway between 128 bits (clearly
> acceptable) and 112 bits (clearly unacceptable) – that could be some other
> number of bits, e.g., 124 bits.
> 
> Hi, David.  Thanks for this general approach.  However, I have a couple
> of points.  First, I'm not sure I understand your criticism about permit
> the negotiation, as we would expect most TEPs to engage in some sort of
> cipher suite negotiation.  Second, why make this more complicated with
> the SHOULD 128?  Can we just have a 120-bit requirement?  What about
> the following?
> 
>    o  TEPs MUST NOT permit the use of encryption algorithms with a
>       security strength [SP800-57part1] of less than 120 bits.  The
>       intent of this requirement is to allow the use of algorithms such
>       as AES-128 [AES] that are designed for 128-bit security and still
>       widely considered secure even after losing a few bits of security
>       to highly theoretical attacks.
> 
> If you accept that, then I think the only remaining issues are this from
> your other email:
> 
> > The complete Security Considerations paragraph that is the focus of this
> > Discuss point is:
> >
> >    Because TCP-ENO enables multiple different TEPs to coexist, security
> >    could potentially be only as strong as the weakest available TEP.  In
> >    particular, if session IDs do not depend on the TCP-ENO transcript in
> >    a strong way, an attacker can undetectably tamper with ENO options to
> >    force negotiation of a deprecated and vulnerable TEP.  To avoid such
> >    problems, TEPs MUST compute session IDs using only well-studied and
> >    conservative hash functions.  That way, even if other parts of a TEP
> >    are vulnerable, it is still intractable for an attacker to induce
> >    identical session IDs at both ends after tampering with ENO contents
> >    in SYN segments.
> >
> > That paragraph looks like a reasonable description of the security risk and
> > countermeasure, except for the one sentence that Ekr pointed out.   Here’s a
> > suggested fix:
> >
> > OLD
> >
> >    To avoid such
> >
> >    problems, TEPs MUST compute session IDs using only well-studied and
> >    conservative hash functions.
> >
> > NEW
> >
> >    To avoid such problems, TEPs are required to compute session IDs in a
> >    collision-resistant way based on the TCP-ENO transcript and other
> >    parameters, as specified in Section 6.
> >
> > This also reflects Mirja’s observation that IETF & IESG review will be the
> > means of ensuring that this happens, so a “MUST” is not needed here
> beyond the
> > “MUST” in Section 6.  In support of that observation, please be sure to make
> > Barry Leiba’s suggested IANA registry policy changes from RFC Required to
> IETF
> > Review.
> 
> The security considerations paragraph is trying to make a different
> point from the one in section 5.1.  Section 5.1 says you MUST provide
> all this stuff as an input to your hash function.  Section 10 says that
> hash function MUST not be weird "vanity crypto."  In other words, it may
> be reasonable to use vanity crypto for key negotiation or session data
> encryption, because that only affects the security of one TEP.  However,
> the session ID hash function potentially affects *all* TEPs because if
> it's broken, it will permit negotiation rollback attacks to deprecated
> TEPs--even when both sides prefer a more secure TEP.
> 
> I want to make clear clear that the session ID hash function choice
> needs extra scrutiny to prevent this point from being lost on future
> generations of IETF & IESG reviewers.  I don't have to make it a MUST if
> that seems really problematic.  But I also don't just want to reiterate
> the same point as section 5.1, which is I think what your proposed
> language does.
> 
> Final point:  I only have a tcpcrypt review from Barry Leiba.  Should I
> apply his suggestion of "IETF review" instead of "RFC Required"?  I
> originally wanted "Specification Required" because I thought the
> designated expert review it implied would be sufficient.  Mirja talked
> me up to "RFC Required," which I thought was more strict.  However, does
> the RFC Required not in fact demand any kind of expert review?  (Looking
> at RFC8126, it doesn't seem to.)  I would be perfectly happy with an
> IRTF or Independent Submission stream RFC so long as a designated expert
> agrees the document is not a waste of a code point.
> 
> Thanks,
> David
> 
> _______________________________________________
> Tcpinc mailing list
> Tcpinc@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpinc