Yaron Sheffer writes:
> I think RFC 6989 (additional tests when reusing DH values) should be a
> normative reference,
There is not a single group defined, or even mentioned in the
RFC5996bis that requires those checks, so I think it can be
informational. For documents specifying groups that require those
checks they should have the normative references to that document.
> and the text at the bottom of 2.12 should be strengthened to
> something like:
>
> In such cases, additional tests defined in [RFC6989] MUST be performed
> by the IKE peers. See this document, as well as [REUSE] for a security
> analysis of this practice.
Why would the tests in RFC6989 need to be only if implementation
reuses exponents, and remembers exponentals other end used? The
previous sentence before that part is:
An implementation that reuses exponentials MAY choose to
remember the exponential used by the other endpoint on past
exchanges and if one is reused to avoid the second half of
the calculation.
And that "In such cases" would refer to completely wrong thing. Also I
do not want to add new MUSTs at this point, especially as there is no
need for that for groups defined in this document.
> Rationale: even if EC groups (and the "DSA groups") are not defined in
> RFC 5996, they are a mainstream use case and the RFC 6989 tests are
> security critical for them. Also, process-wise, RFC 6989 is a Standards
> Track document so the normative reference is legit.
And those documents specifying those groups should have normative
references to that document, and we should most likely make new
versions of those RFCs to include the reference. On the other hand
IANA registry already has that pointer, so I think that should be
enough for the implementors.
> Small typo: in Sec. 3.3.2, "do not need" -> "does not need", and "needs
> to have" -> "need to have".
The first change I had already done, did the another fix now, i.e.
changed:
<t>Note, that MODP Diffie-Hellman groups listed above does
not need any special validity tests to be performed, but
other types of groups (ECP and MODP groups with small
subgroups) needs to have some additional tests to be
performed on them to use them securely. See "Additional
Diffie-Hellman Tests for IKEv2" (<xref target='RFC6989' />)
for more information.</t>
To:
<t>Note, that MODP Diffie-Hellman groups listed above does not
need any special validity tests to be performed, but other
types of groups (ECP and MODP groups with small subgroups)
need to have some additional tests to be performed on them to
use them securely. See "Additional Diffie-Hellman Tests for
IKEv2" (<xref target='RFC6989' />) for more information.</t>
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
