Re: [Cfrg] tcp-md5 "strength"
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 29 September 2016 19:23 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F22E12B1BD for <cfrg@ietfa.amsl.com>; Thu, 29 Sep 2016 12:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.617
X-Spam-Level:
X-Spam-Status: No, score=-6.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2N8g1C0W48z for <cfrg@ietfa.amsl.com>; Thu, 29 Sep 2016 12:23:23 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6ED912B19C for <Cfrg@irtf.org>; Thu, 29 Sep 2016 12:23:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D540FBE3E; Thu, 29 Sep 2016 20:23:19 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lj_7vP9Ebfhv; Thu, 29 Sep 2016 20:23:18 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D0F54BE56; Thu, 29 Sep 2016 20:23:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1475176998; bh=dhUi0yhXz0/7gll9eeZrRUuogp/0UcwIwtfcMP7amhY=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=sgyRzo/vAXuJFBGQTbFSAeVnkTHWXPflv/fISj/TIFBDdofCuYjgLVd1abAU/6nA/ nqrBPocVxx3wbmd5u1qBd9HsmU7bjwzu9TkrK0uWfm7WBisQj0B0OnMhbjS1kvDUyz hV6CE9yGotHkzc+/4s0QyHkS4DSQl9vX4OHYVfPk=
To: Greg Rose <ggr@seer-grog.net>
References: <baa756a9-e42a-9f0a-f772-ca230b4e43b7@cs.tcd.ie> <7615C52A-F83B-4B80-84C3-95FA39DBE6D0@seer-grog.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <0e657d6b-9a84-09f6-52e4-c407f8f95b0b@cs.tcd.ie>
Date: Thu, 29 Sep 2016 20:23:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <7615C52A-F83B-4B80-84C3-95FA39DBE6D0@seer-grog.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020205090904020409030603"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lZLtjGmhaHB4Jo9o36_UCLOygsM>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Subject: Re: [Cfrg] tcp-md5 "strength"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2016 19:23:25 -0000
Hiya, On 29/09/16 15:05, Greg Rose wrote: > this is BGP! It's a bit important to the functioning of the Interwebs. Yeah. Two things:- 1. TCP-AO [1] was defined to improve this situation but has seen no deployment. So merely defining the obvious replacement in 2010 wasn't sufficient to move things along here. 2. It's not just BGP, other (e.g. MPLS-related) protocols re-use what's available on the relevant kit and are still doing so [2] (note [2] is not a new protocol but is a protocol being advanced on the IETF standards track). Hence my asking - I think there may be a chance to try (yet again) to convince folks to implement and deploy something better, but as part of that it'd be great to have an up-to-date and precise view on just how bad the currently deployed thing (TCP-MD5) really is. (And hey, if someone spends effort on this, they might get a nice publication about BGP;-) Ta, S. [1] https://tools.ietf.org/html/rfc5925 [2] https://datatracker.ietf.org/doc/draft-ietf-pals-rfc4447bis/
- [Cfrg] tcp-md5 "strength" Stephen Farrell
- Re: [Cfrg] tcp-md5 "strength" Greg Rose
- Re: [Cfrg] tcp-md5 "strength" Stephen Farrell
- Re: [Cfrg] tcp-md5 "strength" David McGrew (mcgrew)