[Fwd: [Russ Housley] DISCUSS: draft-ietf-secsh-newmodes-05]

[Bill Sommerfeld <sommerfeld%sun.com@localhost>]

Some review comments from Russ Housley.

As a strawman resolution to the DISCUSS comment, how about making
aes128-ctr REQUIRED?   (this new requirement has no effect on
implementations which don't claim to implement newmodes).

I haven't looked closely at the non-DISCUSS comments just yet.

						- Bill


-----Forwarded Message-----

From: Russ Housley <housley%vigilsec.com@localhost>
Subject: DISCUSS: draft-ietf-secsh-newmodes-05
Sender: iesg-bounces%ietf.org@localhost
To: iesg%ietf.org@localhost

SSH Transport Layer Encryption Modes (Proposed Standard)

DISCUSS

   All of the encryption modes described in this document are RECOMMENDED
   or OPTIONAL.  Why isn't one of them REQUIRED?

COMMENT

   I think that the last paragraph of the Abstract belongs in the
   Introduction.

   Section 3.1 says:
   >
   > The preferred way to do this is to rekey after receiving more than
   > 2**31 packets since the last rekey operation.
   >
   I suggest:
   >
   > The preferred implementation technique is to use the reception of
   > more than 2**31 packets since the last rekey operation as a trigger
   > to rekey.

   Two comments about section 4:

   * The description of counter mode seems compatible with NIST SP 800-38A.
     A single counter is used here, instead of a counter for each packet,
     but that does not seem to be a problem.  Please reference NIST
     SP 800-38A.

   * The usual reference for Triple-DES is:
       [3DES]  American National Standards Institute. ANSI X9.52-1998,
               Triple Data Encryption Algorithm Modes of Operation. 1998.

   Section 6.2 says:
   >
   > Fortunately, the common concerns with counter mode do not apply to
   > SSH because of the rekeying recommendations and because of the
   > additional protection provided by the transport protocol's MAC.
   >
   This sentence should also include the built-in initial key
   establishment capability.