Re: draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

To: "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
From: Damien Miller <djm%mindrot.org@localhost>
Date: Wed, 14 Sep 2016 03:47:20 +1000 (AEST)


On Sun, 11 Sep 2016, Mark D. Baushke wrote:

> I have split out a new draft draft-ietf-curdle-ssh-modp-dh-sha2 [1]
> (called "new-modp" in the Reference table below) forked from the
> draft-ietf-curdle-ssh-kex-sha2-04 draft. It specifies the new MOD DH KEX
> Groups that use SHA-2 hashes. This edition specifies both the new
> diffie-hellman-group* names of the -04 revision as well as adding the
> gss-group* names.
> 
> Before I update draft-ietf-curdle-ssh-kex-sha2-05 to point to it, I
> would like to take a straw poll of which algorithms (if any) should be
> defined as a MUST to implement. My personal preference was just
> curve25519-sha256. However, at least a few implementors have said that
> they were not planning to do any ECDH implementations. So, I am guessing
> that "diffie-hellman-group14-sha256" may be the only one that everyone
> might be able to agree is a MUST to implement.

I agree with your choice in MUST. Two other nits:

> Key Exchange Method Name              Reference     Note
> curve25519-sha256                     ssh-curves    MUST
> curve448-sha512                       ssh-curves    MAY
> diffie-hellman-group-exchange-sha1    RFC4419       SHOULD NOT
> diffie-hellman-group-exchange-sha256  RFC4419       MAY
> diffie-hellman-group1-sha1            RFC4253       SHOULD NOT
> diffie-hellman-group14-sha1           RFC4253       SHOULD
> diffie-hellman-group14-sha256         new-modp      MUST
> diffie-hellman-group15-sha512         new-modp      MAY
> diffie-hellman-group16-sha512         new-modp      SHOULD
> diffie-hellman-group17-sha512         new-modp      MAY
> diffie-hellman-group18-sha512         new-modp      MAY
> ecdh-sha2-nistp256                    RFC5656       SHOULD
> ecdh-sha2-nistp384                    RFC5656       SHOULD
> ecdh-sha2-nistp521                    RFC5656       SHOULD
> ecdh-sha2-*                           RFC5656       MAY
> ecmqv-sha2                            RFC5656       MAY

Has anyone ever implemented this? AFAIK the motivation for this was
MQV being included in NSA Suite B at the time, but it was subsequently
dropped. IMO if nobody is using it then it should be recommended
against. I.e. SHOULD NOT

> gss-group14-sha1-*                    RFC4462       SHOULD
> gss-group14-sha256-*                  new-modp      SHOULD

IMO these two should be MAY. Most implementations don't support
GSSAPI key exchange at all.

Thanks for your patience in wrangling this.

-d

Follow-Ups:
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
  - From: Mark D. Baushke

References:
- draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
  - From: Mark D. Baushke

Prev by Date: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
Next by Date: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
Previous by Thread: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
Next by Thread: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
Indexes:

Home | Main Index | Thread Index | Old Index