Stephen Farrell writes: > >> And would we still recommend 1536 D-H and wouldn't 2048 by itself be > >> sufficient? > > > > The RFC4307bis in the IPsecME WG will most likely say that 2048 bit > > MODP group is mandatory to implement, but I would expect that > > constrained devices might want to use ECP or smaller MODP groups > > instead. > > Meh, I'd say though that not mentioning 1024 RSA or 1536 DH would > be a lot better.
About the RSA key sizes: The 1024 bit RSA is direct copy from the RFC7296, so thats why it is there. About the DH key sizes: Current mandatory to implement Diffie-Hellman group in IKEv2 is 1024-bit DH, but as we are going to change that in RFC4307bis, I removed it from the list already. The rfc4307 will be saying MUST for 2048 bit DH, so thats why that is there, but as this is for constrained devices, there may be some use for 1536-bit DH still. > Given that you're not specifying what's MTI why is it a good idea to > include those? As is, someone will clam that they're ok using 1024 > bit is ok when they didn't really need to do that. As I said 1024-bit RSA is still mandatory to implement in IKEv2. If you feel that it is not safe anymore, then we most likely need to put that in the RFC4307bis too, i.e. change the mandatory to implement authentication methods of IKEv2. Now we just change the crypto algorithms, but do not change requirements for certificates or authentication methods. Anyways that is something that needs to be discussed in the IPsecME WG when working on the 4307bis (I will start a thread). 1536-bit DH is still considered to be several thousand times harder to break than 1024-bit DH, so it should be ok for small IoT devices for some time. Also quite a lot of information transmitted by those devices are not really things that require confidentiality for years. Yes, you do not want to leak that your room temperature is lowered by 5 degrees so burglers do not know that you are not at home, but quite often does not matter if NSA gets that information after cracking your 1536-bit DH using years of CPU time. They most likely already had that information from your plane tickets. And nothing prevents using stronger groups if confidentiality is really an issue. -- [email protected] _______________________________________________ Lwip mailing list [email protected] https://www.ietf.org/mailman/listinfo/lwip
