Joseph Galbraith | 4 Feb 17:36 2005

Re: DH KEX names an "aberration"?

Chris Lonvick wrote:
> Hi,
> 
> The coin toss was for this subject.  Please read over the prior and
> current text and let me know if the proposed text sounds good.
> Wordsmithing would be appreciated.
> 
> Past - [TRANS]-21:
> 
>    Additional methods may be defined as specified in [SSH-NUMBERS].
>    Note that, for historical reasons, the name
>    "diffie-hellman-group1-sha1" is used for a key exchange method using
>    Oakley Group 2.  This is considered an aberration and should not be
>    repeated.  Any future specifications of Diffie Hellman key exchange
>    using Oakley groups defined in [RFC2412] or its successors should be
>    named using the group numbers assigned by IANA, and names of the form
>    "diffie-hellman-groupN-sha1" should be reserved for this purpose.
> 
> Current - [TRANS]-22:
> 
>    Additional methods may be defined as specified in [SSH-NUMBERS].
>    Note that, for historical reasons, the name
>    "diffie-hellman-group1-sha1" is used for a key exchange method using
>    an Oakley group as defined in [RFC2412].  Subsequently, the Working
>    Group attempted to follow the numbering scheme of group numbers from
>    [RFC3526] with diffie-hellman-group14-sha1 for the name of the second
>    defined name.  This is considered an aberration and should not be
>    repeated.  Any future specifications of Diffie-Hellman key exchange
>    using Oakley groups defined in [RFC2412] or its successors should be
>    performed with care and a bit of research.
(Continue reading)

Jeffrey Hutzelman | 4 Feb 18:40 2005
Picon

Re: DH KEX names an "aberration"?

On Friday, February 04, 2005 09:36:37 AM -0700 Joseph Galbraith 
<galb-list <at> vandyke.com> wrote:

> Chris Lonvick wrote:

>>    [...] This inconsistency should not be repeated.  The naming
>>    of future specifications of Diffie-Hellman key exchange using Oakley
>>    groups defined in [RFC2412] or its successors should be performed
>>    with forethought and care.
>
> I don't recall the results of the coin toss, and it isn't
> clear from this.  So how about one of the following, depending
> on which way the toss went:
>
>    Additional methods may be defined as specified in [SSH-NUMBERS].
>    Note that for historical reasons the name
>    "diffie-hellman-group1-sha1" is used for a key exchange method using
>    an Oakley group as defined in [RFC2412].  Subsequently, the Working
>    Group attempted to follow the numbering scheme of group numbers from
>    [RFC3526] with diffie-hellman-group14-sha1 for the name of the second
>    defined name.  Future groups borrowed from [RFC2412] should continue
>    to use the same numbering scheme used by [RFC3526].  However, without
>    specific IETF action, no addition groups from [RFC3526] are valid in
>    the SSH protocol.
>
> OR:
>
>    Additional methods may be defined as specified in [SSH-NUMBERS].
>    Note that for historical reasons the name
>    "diffie-hellman-group1-sha1" is used for a key exchange method using
(Continue reading)

denis bider | 4 Feb 19:44 2005

RE: DH KEX names an "aberration"?

> I think I prefer the phrasing "[RFC2412] and its successors". 
> Otherwise, Joseph's text looks good.

Looks good to me too.

It is my impression that the second variant is where we are headed, i.e.,
with Jeffrey's nit, like this:

> Additional methods may be defined as specified in [SSH-NUMBERS].
> Note that for historical reasons the name "diffie-hellman-group1-sha1"
> is used for a key exchange method using an Oakley group as defined
> in [RFC2412].  Subsequently, the Working Group attempted to follow
> the numbering scheme of group numbers from [RFC3526] with
> diffie-hellman-group14-sha1 for the name of the second defined name.
> Future groups borrowed from [RFC2412] and its successors should not
> attempt to use the same numbering scheme used by [RFC3526], but
> should use numbering unique to SSH.  I.e., the next group defined for
> SSH should be diffie-hellman-group2-sha1, regardless of its source.

Jeffrey Hutzelman | 4 Feb 20:04 2005
Picon

RE: DH KEX names an "aberration"?


On Friday, February 04, 2005 07:44:39 PM +0100 denis bider 
<ietf-ssh <at> denisbider.com> wrote:

>> I think I prefer the phrasing "[RFC2412] and its successors".
>> Otherwise, Joseph's text looks good.
>
> Looks good to me too.
>
> It is my impression that the second variant is where we are headed, i.e.,
> with Jeffrey's nit, like this:
>
>
>> Additional methods may be defined as specified in [SSH-NUMBERS].
>> Note that for historical reasons the name "diffie-hellman-group1-sha1"
>> is used for a key exchange method using an Oakley group as defined
>> in [RFC2412].  Subsequently, the Working Group attempted to follow
>> the numbering scheme of group numbers from [RFC3526] with
>> diffie-hellman-group14-sha1 for the name of the second defined name.

So far, so good - these groups come from specific documents

>> Future groups borrowed from [RFC2412] and its successors should not

But "future groups" could come from any of this series of documents, so 
again, this is the right phrasing.

>> attempt to use the same numbering scheme used by [RFC3526], but

The numbering scheme is shared by all the documents, not just this one.
(Continue reading)

Bill Sommerfeld | 4 Feb 21:32 2005
Picon

RE: DH KEX names an "aberration"?

On Fri, 2005-02-04 at 14:04, Jeffrey Hutzelman wrote:

> > ticket 460, 601: no consensus on list.
> > flipped coin, heads for "group2", tails for "group14", came up tails
> > will stick with diffie-hellman-group14-sha1
> 
> That implies the coin flip was only intended to apply to that one decision, 
> and not to set a direction for future naming.  Bill, can you comment on 
> this?

correct.  it was intended only for that one decision.

> I'd prefer to have a direction for future naming, but not at the expense of 
> delaying things indefinitely.  If we can agree on a direction, or accept 
> the coin toss as setting one, then we should use one of Joseph's proposed 
> paragraphs (modulo the wordsmithing we've just done).

(wg chair hat off)

For future direction, my preference would be to do something which doesn't
involve us arguing over which small integer refers to a which large integer.

but who am I to interfere with what appears to be gathering consensus..

						- Bill

Chris Lonvick | 7 Feb 22:34 2005
Picon

RE: DH KEX names an "aberration"?

Hi,

Way back in time, the WG agreed to use diffie-hellman-group2-sha1 for the
second defined kex method.  We never put that into any of the IDs as we
started discussing "proper naming".  I believe it was early last year and
we went for some time before we got into the discussion of associating the
number used with the group to the "group" number defined in RFC3526.
This led us to agree to use diffie-hellman-group14-sha1 and that's the way
it became in [TRANS]-19 and continues this way in the IDs.  Tero Kevininen
pointed out (in August) that "14"  should probably not be used as that
wasn't going to be a consistently referenceable number for the future.
This led some to think about going back to "2" but others argued that "14"
was in shipping code.  The coin toss resulted in us agreeing to use "14"
but we did not mention what we were to do with "2" nor with what we were
to do about recommending future naming schemes.  I was hoping to duck that
issue which I will now name "the briar patch issue".  (Every time I try to
crawl out of it, I get stuck worse.)

Going with the assumption that those who forget history are doomed to
repeat it, I'll propose the following text:

   Additional methods may be defined as specified in [SSH-NUMBERS].
   Note that the name "diffie-hellman-group1-sha1" is used for the first
   defined key exchange method using an Oakley group referenced from
   [RFC2412].  The Working Group first attempted to progress the
   namespace scheme by using "diffie-hellman-group2-sha1" for the second
   defined key exchange (kex) name.  This name was never used in any
   Working Group documents but was discussed in the mailing list.  It is
   not known if this kex name was implemented in any shipping code.
   During this deliberation period, the Working Group wanted to provide
(Continue reading)

Jeffrey Hutzelman | 7 Feb 22:56 2005
Picon

RE: DH KEX names an "aberration"?


On Monday, February 07, 2005 01:34:00 PM -0800 Chris Lonvick 
<clonvick <at> cisco.com> wrote:

>    Additional methods may be defined as specified in [SSH-NUMBERS].
>    Note that the name "diffie-hellman-group1-sha1" is used for the first
>    defined key exchange method using an Oakley group referenced from
>    [RFC2412].  The Working Group first attempted to progress the
>    namespace scheme by using "diffie-hellman-group2-sha1" for the second
>    defined key exchange (kex) name.  This name was never used in any
>    Working Group documents but was discussed in the mailing list.  It is
>    not known if this kex name was implemented in any shipping code.
>    During this deliberation period, the Working Group wanted to provide
>    for a better naming scheme and attempted to follow the numbering
>    scheme of group numbers from [RFC3526].  This resulted in the
>    selection of "diffie-hellman-group14-sha1" rather than
>    "diffie-hellman-group2-sha1" which the Working Group felt was not as
>    descriptive.  After this name was generally approved by consensus and
>    started appearing in subsequent Internet Drafts (and shipping code),
>    it was noted that the numbers associated with the groups in [RFC3526]
>    were assigned by the IANA and may be changed in the future, or that
>    numbers may not be used at all.  This caused some indecision within
>    the Working Group which was resolved at the Working Group meeting at
>    the 60th IETF with the formal adoption of the
>    "diffie-hellman-group14-sha1" name for the second defined kex method.
>    This inconsistency should not be repeated in the future.  Future
>    groups borrowed from [RFC2412] or its successors should not attempt
>    to associate SSH kex algorithms with numbers from [RFC3526].  The
>    naming of future specifications of Diffie-Hellman kex methods using
>    Oakley groups defined in [RFC2412] or its successors should be
(Continue reading)

Ben Harris | 8 Feb 01:15 2005
Picon

Re: DH KEX names an "aberration"?

In article <69EACAED88E645DE657FEDED <at> SIRIUS.FAC.CS.CMU.EDU> you write:
>I do not believe this document should make a value judgement on whether "it 
>will probably be best if future names are unique to SSH", because I do not 
>believe that we have consensus on whether that statement is true.

I agree.  To my mind, the naming of future KEX methods really isn't
important, and certainly isn't worth an entire page of explanatory text. 
The names are opaque strings, and anyone wanting to know what one means will
have to refer to the IANA registry anyway (since the two methods defined so
far use different naming schemes), so the next one (if group exchange
doesn't make it redundant) could perfectly well be called
diffie-hellman-plippyploppycheesenose-sha1 without causing any problems.

My feeling is that [SSH-TRANS] should be silent both on the history of the
existing names and what names should be used in future.

--

-- 
Ben Harris

der Mouse | 8 Feb 06:16 2005
Picon

Re: DH KEX names an "aberration"?

> [...], so the next [KEX method] (if group exchange doesn't make it
> redundant) could perfectly well be called
> diffie-hellman-plippyploppycheesenose-sha1 without causing any
> problems.

Well, except that some people would probably prefer
diffie-hellman-eblisoshaughnessy-sha1. :-)  Shall we toss a coin?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse <at> rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Bill Sommerfeld | 8 Feb 03:42 2005
Picon

RE: DH KEX names an "aberration"?

On Mon, 2005-02-07 at 16:56, Jeffrey Hutzelman wrote:

> I don't think this level of "legislative history" needs to be in the 
> document; that is what we have mailing list archives for.

Agreed.

> I do not believe this document should make a value judgement on whether "it 
> will probably be best if future names are unique to SSH", because I do not 
> believe that we have consensus on whether that statement is true.

Also agreed.  Let's not try to predict the future.

> An IETF standards-track document simply cannot say "the 
> working group was unable to reach consensus, but it should be this way". 

When i took a straw poll, there was no clear consensus either way.  Since this 
*should have been* a trivial matter, we had a public coin flip.

we seem to have gotten lost inside the bikeshed
(see http://www.unixguide.net/freebsd/faq/16.19.shtml).

						- Bill

Chris Lonvick | 10 Feb 17:52 2005
Picon

RE: DH KEX names an "aberration"?

Hi,

On Mon, 7 Feb 2005, Bill Sommerfeld wrote:

> On Mon, 2005-02-07 at 16:56, Jeffrey Hutzelman wrote:
>
> > I don't think this level of "legislative history" needs to be in the
> > document; that is what we have mailing list archives for.
>
> Agreed.
>
> > I do not believe this document should make a value judgement on whether "it
> > will probably be best if future names are unique to SSH", because I do not
> > believe that we have consensus on whether that statement is true.
>
> Also agreed.  Let's not try to predict the future.
>
> > An IETF standards-track document simply cannot say "the
> > working group was unable to reach consensus, but it should be this way".
>
> When i took a straw poll, there was no clear consensus either way.  Since this
> *should have been* a trivial matter, we had a public coin flip.
>
> we seem to have gotten lost inside the bikeshed
> (see http://www.unixguide.net/freebsd/faq/16.19.shtml).

The prior text which seemed to have near consensus was:

   Additional methods may be defined as specified in [SSH-NUMBERS].
   Note that for historical reasons the name
(Continue reading)

Bill Sommerfeld | 10 Feb 18:10 2005
Picon

RE: DH KEX names an "aberration"?

here's a revision which documents the past rather than constraining the future:

   Additional methods may be defined as specified in [SSH-NUMBERS]. The
   name "diffie-hellman-group1-sha1" is used for a key exchange method
   using an Oakley group as defined in [RFC2412].  SSH maintains its own
   group identifier space which is logically distinct from Oakley and IKE;
   however, for one additional group, the Working Group adopted the number
   assigned by [RFC3526], using diffie-hellman-group14-sha1 for the name of 
   the second defined group.  Implementations should treat these names as 
   opaque identifiers and should not assume any relationship between the groups
   used by SSH and the groups defined in 2412 and its successors.

						- Bill

Joseph Galbraith | 10 Feb 19:04 2005

Re: DH KEX names an "aberration"?

Bill Sommerfeld wrote:
> here's a revision which documents the past rather than constraining the future:
> 
>    Additional methods may be defined as specified in [SSH-NUMBERS]. The
>    name "diffie-hellman-group1-sha1" is used for a key exchange method
>    using an Oakley group as defined in [RFC2412].  SSH maintains its own
>    group identifier space which is logically distinct from Oakley and IKE;
>    however, for one additional group, the Working Group adopted the number
>    assigned by [RFC3526], using diffie-hellman-group14-sha1 for the name of 
>    the second defined group.  Implementations should treat these names as 
>    opaque identifiers and should not assume any relationship between the groups
>    used by SSH and the groups defined in 2412 and its successors.

This sounds good to me.

Thanks,

Joseph

Ben Harris | 11 Feb 14:49 2005
Picon

Re: DH KEX names an "aberration"?

In article <1108055458.11303.10.camel <at> thunk> you write:
>here's a revision which documents the past rather than constraining the future:
>
>   Additional methods may be defined as specified in [SSH-NUMBERS]. The
>   name "diffie-hellman-group1-sha1" is used for a key exchange method
>   using an Oakley group as defined in [RFC2412].  SSH maintains its own
>   group identifier space which is logically distinct from Oakley and IKE;
>   however, for one additional group, the Working Group adopted the number
>   assigned by [RFC3526], using diffie-hellman-group14-sha1 for the name of 
>   the second defined group.  Implementations should treat these names as 
>   opaque identifiers and should not assume any relationship between the groups
>   used by SSH and the groups defined in 2412 and its successors.

That seems good to me.  Having looked at the relevant RFCs and the IANA
IPsec registry, it looks like the official reference for IPsec group 2 is
RFC 2409 rather than RFC 2412, and RFC 3526 is only vaguely a successor to
either.  Perhaps "in 2412 and its successors" should read "for IKE".

--

-- 
Ben Harris

Chris Lonvick | 14 Feb 16:32 2005
Picon

Re: DH KEX names an "aberration"?

Hi,

On Fri, 11 Feb 2005, Ben Harris wrote:

> In article <1108055458.11303.10.camel <at> thunk> you write:
> >here's a revision which documents the past rather than constraining the future:
> >
> >   Additional methods may be defined as specified in [SSH-NUMBERS]. The
> >   name "diffie-hellman-group1-sha1" is used for a key exchange method
> >   using an Oakley group as defined in [RFC2412].  SSH maintains its own
> >   group identifier space which is logically distinct from Oakley and IKE;
> >   however, for one additional group, the Working Group adopted the number
> >   assigned by [RFC3526], using diffie-hellman-group14-sha1 for the name of
> >   the second defined group.  Implementations should treat these names as
> >   opaque identifiers and should not assume any relationship between the groups
> >   used by SSH and the groups defined in 2412 and its successors.
>
> That seems good to me.  Having looked at the relevant RFCs and the IANA
> IPsec registry, it looks like the official reference for IPsec group 2 is
> RFC 2409 rather than RFC 2412, and RFC 3526 is only vaguely a successor to
> either.  Perhaps "in 2412 and its successors" should read "for IKE".

Ben points out something important.  2412 is INFORMATIONAL.  2409 and 3526
are STANDARDS TRACK.  Since the proposed text appears to have general
consensus, I'll modify the referents as follows:

   Additional methods may be defined as specified in [SSH-NUMBERS]. The
   name "diffie-hellman-group1-sha1" is used for a key exchange method
   using an Oakley group as defined in [RFC2409].  SSH maintains its own
   group identifier space which is logically distinct from Oakley
(Continue reading)

Niels Möller | 14 Feb 16:12 2005
Picon
Picon
Picon

Re: DH KEX names an "aberration"?

Chris Lonvick <clonvick <at> cisco.com> writes:

> I'll take input on the following which may modify this text:
> 
> - Did anyone actually use "diffie-hellman-group2-sha1" in shipping code?

Shipped versions of lsh have used "diffie-hellman-group2-sha1" and
"diffie-hellman-group14-sha1" as synonyms.

> - Should we state that "2" has been poisoned because of that?

No.

> - Should we leave it as use "3" or "15" next?  (If anyone responds with
> "no" then they'll have to propose something better.)

I think it's best to not try to make promises on behalf of the future
working group. Bill's neutral text looked good to me.

Regards,
/Niels


Gmane