More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)
RFC 8268

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org, daniel.migault@ericsson.com, draft-ietf-curdle-ssh-modp-dh-sha2@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH)' to Proposed Standard (draft-ietf-curdle-ssh-modp-dh-sha2-09.txt)

The IESG has approved the following document:
- 'More Modular Exponential (MODP) Diffie-Hellman (DH) Key Exchange (KEX)
   Groups for Secure Shell (SSH)'
  (draft-ietf-curdle-ssh-modp-dh-sha2-09.txt) as Proposed Standard

This document is the product of the CURves, Deprecating and a Little more
Encryption Working Group.

The IESG contact persons are Kathleen Moriarty and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-modp-dh-sha2/


Technical Summary

  Relevant content can frequently be found in the abstract 
  and/or introduction of the document. If not, this may be 
  an indication that there are deficiencies in the abstract 
  or introduction.

This document defines added Modular Exponential (MODP) Groups for the
Secure Shell (SSH) protocol using SHA-2 hashes.

Working Group Summary

  Was there anything in WG process that is worth noting? For 
  example, was there controversy about particular points or 
  were there decisions where the consensus was particularly 
  rough?

The document received few reviews on the mailing list. However, 
discussions occur on whether:
    - choosing IKE vs TLS primes
    - choosing fixed primes versus random.  
The consensus for this document was to restraint to the primes defined for IKE.

  Are there existing implementations of the protocol? Have a 
  significant number of vendors indicated their plan to 
  implement the specification? Are there any reviewers that 
  merit special mention as having done a thorough review, 
  e.g., one that resulted in important changes or a 
  conclusion that the document had no substantive issues? If 
  there was a MIB Doctor, Media Type or other expert review, 
  what was its course (briefly)? In the case of a Media Type 
  review, on what date was the request posted?

The draft describes the following key exchange algorithms:
* diffie-hellman-group14-sha256 
* diffie-hellman-group15-sha512 
* diffie-hellman-group16-sha512 
* diffie-hellman-group17-sha512 
* diffie-hellman-group18-sha512 

These suites have been at least partially implemented. [00],[2]
* OpenSSH has implemented and distributed at least diffie-hellman-group14-sha256 it already [0]
* Dropbear has preliminary support for  diffie-hellman-group14-sha256 by Matt Johnston [1] 
* RLogin supports dh-group{14,15,16}-sha256 since version 2.19.8 [3]. 
* Tera Term committed dh-group{14,15,16}-sha256  support committed to trunk, and it will be included in next release. [4] 
* Poderosa [5] committed to support dh-group{14,15,16}-sha256 support where a pull request has been sent  [6]. 

[00] http://ssh-comparison.quendi.de/comparison/kex.html
[0] https://jbeekman.nl/blog/2015/05/ssh-logjam/
[1]  http://www.ietf.org/mail-archive/web/secsh/current/msg01119.html
[2] http://www.ietf.org/mail-archive/web/secsh/current/msg01139.html
[3] http://nanno.dip.jp/softlib/man/rlogin/ 
[4] https://en.osdn.jp/projects/ttssh2/scm/svn/commits/6263
[5] http://poderosa.sourceforge.net/ in 
[6] https://github.com/poderosaproject/poderosa/pull/17