idnits 2.17.1 draft-ietf-curdle-rc4-die-die-die-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC4345, but the abstract doesn't seem to directly say this. It does mention RFC4345 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). (Using the creation date from RFC4253, updated by this document, for RFC5378 checks: 1997-03-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 26, 2018) is 2282 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force (IETF) L. Camara 2 Internet-Draft January 26, 2018 3 Obsoletes: 4345 (if approved) 4 Updates: 4253 (if approved) 5 Intended Status: Best Current Practice 6 Expires: July 30, 2018 8 Deprecating RC4 in Secure Shell (SSH) 9 draft-ietf-curdle-rc4-die-die-die-06 11 [[RFC-Editor: please replace the second character of my surname by 12 U+00E2 when publishing as RFC in the header and in all pages. 13 Non-ASCII characters are allowed in RFCs as per RFC 7997.]] 15 Abstract 17 This document deprecates RC4 in Secure Shell (SSH). Therefore, this 18 document updates RFC 4253, and formally obsoletes and moves to 19 Historic RFC 4345. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on July 30, 2018. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Why obsolete and move to Historic RFC 4345 . . . . . . . . . . 2 57 3. Updates to RFC 4253 . . . . . . . . . . . . . . . . . . . . . . 2 58 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 2 59 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 3 60 6. Acknowlegdements . . . . . . . . . . . . . . . . . . . . . . . 3 61 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 7.1. Normative References . . . . . . . . . . . . . . . . . . . . 3 63 7.2. Informative References . . . . . . . . . . . . . . . . . . . 3 64 8. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 3 66 1. Introduction 68 RC4 is broken [RFC7457] and this document deprecates its use in 69 Secure Shell (SSH). 71 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 72 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 73 document are to be interpreted as described in 74 BCP 14 [RFC2119, RFC8174] when, and only when, they appear in all 75 capitals, as shown here. 77 2. Why obsolete and move to Historic RFC 4345 79 RFC 4345 defines the "arcfour-128" and "arcfour-256" modes for SSH, 80 and is obsoleted and moved to Historic as RC4 is broken [RFC7457]. 81 The modes defined by RFC 4345 MUST NOT be used. 83 3. Updates to RFC 4253 85 RFC 4253 is updated to prohibit arcfour's use in SSH. 87 The last sentence of the paragraph on RC4 (called "arcfour" 88 in [RFC4253]) in Section 6.3 of [RFC4253] should read: "Arcfour (also 89 known as RC4) is broken [RFC7457] and therefore it MUST NOT be used." 91 An informative reference to RFC 7457 is to be added to [RFC4253]. 93 4. IANA Considerations 95 IANA may need to take action as the status for RC4 and 3DES 96 algorithms for Secure Shell (SSH) is changed by this document 97 (see Section 3, that updates [RFC4253]). 99 5. Security Considerations 101 This document only prohibits the use of RC4 in SSH, and introduces no 102 new security considerations. 104 6. Acknowledgements 106 Thanks to the numerous authors which have shown the weaknesses of 107 RC4 throughout the years, and to the several people which have 108 commented on the CURDLE mailing list about this document. 110 7. References 112 7.1. Normative References 114 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 115 Requirement Levels", BCP 14, RFC 2119, March 1997. 117 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in 118 RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. 120 7.2. Informative References 122 [RFC4253] Ylonen, T., and C. Lonvick, Ed., "The Secure Shell (SSH) 123 Transport Layer Protocol", RFC 4253, January 2006. 125 [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing 126 Known Attacks on Transport Layer Security (TLS) and 127 Datagram TLS (DTLS)", RFC 7457, February 2015. 129 [[RFC-Editor: please replace the 'i' in my name by U+00ED and the 130 first 'a' in the surname by U+00E2, as non-ASCII characters are 131 allowed as per RFC 7997]] 133 8. Author's Address 135 Luis Camara 137 EMail: