IETF Logo Mail Archive

Re: [dnsext] Report from chairs

Federico Lucifredi <lucifred@post.harvard.edu> Fri, 30 July 2010 18:40 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 408BD3A6ADB; Fri, 30 Jul 2010 11:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.756
X-Spam-Level: *
X-Spam-Status: No, score=1.756 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aor+GnVcG5K8; Fri, 30 Jul 2010 11:40:32 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48B653A67DA; Fri, 30 Jul 2010 11:40:31 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OeuQh-000NGV-Mg for namedroppers-data0@psg.com; Fri, 30 Jul 2010 18:35:35 +0000
Received: from [69.17.117.50] (helo=mail6.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <lucifred@post.harvard.edu>) id 1OeuQf-000NGG-FL for namedroppers@ops.ietf.org; Fri, 30 Jul 2010 18:35:33 +0000
Received: (qmail 25261 invoked from network); 30 Jul 2010 18:35:30 -0000
Received: from unknown (HELO [164.99.130.58]) (federico@[130.57.22.201]) (envelope-sender <lucifred@post.harvard.edu>) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <hallam@gmail.com>; 30 Jul 2010 18:35:30 -0000
Message-ID: <4C531B70.8060505@post.harvard.edu>
Date: Fri, 30 Jul 2010 14:35:28 -0400
From: Federico Lucifredi <lucifred@post.harvard.edu>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
CC: Francis Dupont <Francis.Dupont@fdupont.fr>, Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] Report from chairs
References: <20100725213920.GF8017@shinkuro.com> <201007260710.o6Q7AjoB025253@givry.fdupont.fr> <AANLkTimVBmC=mMCzr1SO7k=9qfTXkdVWMd3Lrzcw8T+C@mail.gmail.com>
In-Reply-To: <AANLkTimVBmC=mMCzr1SO7k=9qfTXkdVWMd3Lrzcw8T+C@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I disagree. The shelving of TSIG/MD5 makes sense on its own (albeit just
on stack certification grounds - we understand that MD5 is not
compromised in this use).

There are no transitions: providers who care about ("no MD5"
certifications will just be able to drop the support for this algorithm
and claim both compliance with certification and with RFC standard.

That is a simple, self-contained issue.

DNScurve, which I am not a detractor to, will be mired in the usual SEC
feuding for a time, regardless of outcome. Whichever side you may take
on it, you know that is inevitably going to be the case.

So, if a consensus can be reached on closing the smaller TSIG/MD5 issue
per draft-ietf-dnsext-tsig-md5, I would support that. And if the
original author is too busy to pursue it, I am willing to be the
"process monkey" who gets it done.

Could the chairs indicate what would be the next step for this draft.

Best -Federico

Phillip Hallam-Baker wrote:
> My feeling is that we should shelve this and instead work on a key
> exchange to compliment TSIG and then deprecate HMAC-MD5 for use in
> that context.
> 
> The reason for this is that I think DNS-CURVE meets a real need, even
> if the approach is not really sensitive to existing DNS code.
> Suggesting a move to ECC is a good idea, suggesting transport layer
> security is a good idea. Suggesting both in the same proposal is not.
> 
> For example, most enterprises use split DNS. They do not want their
> internal DNS to be externally visible. But if (like me) the only
> corporate facility you really need most of the time is email, you can
> get perfectly adequate support by using SMTP and IMAP/POP over SSL.
> Using IPSEC just to secure the DNS part is really quite painful. This
> approach is much cleaner.
> 
> 
> So given that we can expect to upgrade the whole TSIG area in an
> important way, and given that there is no immediate security risk with
> MD5, I think it makes sense to have one transition rather than two.
> 
> 
> On Mon, Jul 26, 2010 at 3:10 AM, Francis Dupont
> <Francis.Dupont@fdupont.fr> wrote:
>>  In your previous mail you wrote:
>>
>>   4.  EXPIRED DRAFTS
>>
>>       - draft-ietf-dnsext-tsig-md5-deprecated
>>
>>   Is anyone still interested in this draft?  We have no movement on it.
>>
>> => there is a clear lack of support for this draft. I propose to give
>> the question to the security area so they should say if it is fine to
>> keep MD5 mandatory in an IETF protocol.
>>
>> Two comments:
>>  - MD5 is used in a way (HMAC) it is not proved to be weak
>>
>>  - the issue is MD5 it is forbidden for most (i.e., all I know of :-)
>>  certified cryptos so it is not possible to run a both certified (for
>>  the crypto) and conformant (to standards) TSIG tool.
>>  Now it seems to be only a formal concern...
>>
>> Thanks
>>
>> Francis.Dupont@fdupont.fr
>>
>>
> 
> 
> 


-- 

_________________________________________
-- "'Problem' is a bleak word for challenge" - Richard Fish
(Federico L. Lucifredi) - lucifred@fas.harvard.edu

v2.23.0 | Report a Bug | By Email