IETF Logo Mail Archive

RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib-14

"Jean-Francois Mule" <jf.mule@cablelabs.com> Fri, 24 September 2004 22:37 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA28245 for <ipcdn-archive@ietf.org>; Fri, 24 Sep 2004 18:37:58 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CAyoZ-0006nQ-PK for ipcdn-archive@ietf.org; Fri, 24 Sep 2004 18:45:20 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CAyep-0008LG-0q; Fri, 24 Sep 2004 18:35:15 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CAya2-0007hC-W1 for ipcdn@megatron.ietf.org; Fri, 24 Sep 2004 18:30:19 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA27634 for <ipcdn@ietf.org>; Fri, 24 Sep 2004 18:30:16 -0400 (EDT)
Received: from ondar.cablelabs.com ([192.160.73.61]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CAyh7-0006ev-OX for ipcdn@ietf.org; Fri, 24 Sep 2004 18:37:38 -0400
Received: from srvxchg.cablelabs.com (srvxchg.cablelabs.com [10.5.0.20]) by ondar.cablelabs.com (8.12.10/8.12.10) with ESMTP id i8OMTikH011892; Fri, 24 Sep 2004 16:29:44 -0600 (MDT)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib-14
Date: Fri, 24 Sep 2004 16:29:43 -0600
Message-ID: <CD6CE349CFD30D40BF5E13B3E0D8480406A38F@srvxchg.cablelabs.com>
Thread-Topic: RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib-14
Thread-Index: AcSihf1vFW/jBV1RRj6+t2LSzDSCFw==
From: Jean-Francois Mule <jf.mule@cablelabs.com>
To: Russ Housley <housley@vigilsec.com>, "Steven M. Bellovin" <smb@research.att.com>, bwijnen@lucent.com, ipcdn@ietf.org
X-Approved: ondar
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1676547e4f33b5e63227e9c02bd359e3
Content-Transfer-Encoding: quoted-printable
Cc: Eduardo Cardona <e.cardona@cablelabs.com>, Greg White <g.white@cablelabs.com>, Oscar Marcia <o.marcia@cablelabs.com>, "Richard Woundy @ Comcast" <Richard_woundy@cable.comcast.com>, Eric Rosenfeld <e.rosenfeld@cablelabs.com>
X-BeenThere: ipcdn@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP over Cable Data Network <ipcdn.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipcdn>, <mailto:ipcdn-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipcdn@ietf.org>
List-Help: <mailto:ipcdn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipcdn>, <mailto:ipcdn-request@ietf.org?subject=subscribe>
Sender: ipcdn-bounces@ietf.org
Errors-To: ipcdn-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 093efd19b5f651b2707595638f6c4003
Content-Transfer-Encoding: quoted-printable

Russ, Steve and Bert,

  Thanks for your comments on draft-ietf-ipcdn-bpiplus-mib-14.
  To summarize, you expressed 2 main comments, see below a proposed
resolution.


Ipcdn folks:
  Feel free to interject and comment.


--- 1. Syntax of docsBpi2CmPublicKey and range limitations:
   Per Eduardo and Rich's responses, the current object syntax of
docsBpi2CmPublicKey is justified by the fact that DOCSIS BPI+ specifies
a public modulus of 3 or 65537. 
Eduardo wrote:
>  DOCSIS uses a subset of moduli values that matches the sizes
> described by the MIB object.

Rich added:
> In general I am sure this is true, but for DOCSIS BPI+, a
> specific public modulus is specified: 65537.
> 
> Per
> <http://www.cablemodem.com/downloads/specs/BPI+_I11-040407.pdf
> >, section 4.2.2.4 and elsewhere: "PKCS #1 v2.0 states that
> the RSA public exponent may be standardized in specific
> applications, and the document suggests values of 3 or 65537 
> (F4). Baseline Privacy Plus standardizes on F4 for a public 
> exponent and employs a 1024-bit modulus (Baseline Privacy 
> employed a 768-bit modulus)." Also see sections 7.5 and 7.6, 
> for example.

Proposed resolution:
  Even with the above justification, we (Rich and I) do not have any
objection changing the syntax to not restrict the possible ranges in the
MIB module. To allow the use of PCKS 4096 bits moduli, we (Eduardo,
Oscar and I) would like to define the max limit to something like 524.
The proposal is: 

   a) change the SYNTAX
replace
<  docsBpi2CmPublicKey     OBJECT-TYPE
<       SYNTAX             OCTET STRING (SIZE (74|106|140|204|270))
with
>  docsBpi2CmPublicKey     OBJECT-TYPE
>      SYNTAX             OCTET STRING (SIZE 0..524)

   b) for existing 1.1 and 2.0 implementations, in the compliance
statement, an OBJECT clause to say that DOCSIS 1.1 and 2.0 devices are
not required to support any key with a size greater than 270.

This proposal should suffice to address the comment: it adds flexibility
in the generic object definition, yet reflects the reality of the
underlying docsis 1.1 and 2.0 implementations and allow us to add a new
compliance statement later for newer implementations without changing
the mib definition. If this is not sufficient, let us know.


--- 2. Lack of strong encryption & authentication mechanism in DOCSIS
BPI+
   The second comment raised by you both (Russ and Steve) is the lack of
strong encryption & authentication mechanism in DOCSIS BPI+ and
subsequently in the IPCDN DOCSIS BPI+ MIB module.
   While the current DOCSIS specifications do not support any additional
algorithms (and therefore, the underlying protocols supported by this
MIB may not allow additional algorithm to be negotiated and used), we
believe it is ok to add a couple of stronger encryption/auth algorithms
for future use. Vendors may opt to support these additional algorithms
and future DOCSIS specs may consider these for inclusion - TBD. In any
case, today's implementations should reject any values outside the range
allowed in docsis per standard error handling procedures so we don't see
a pb with adding some better algo there.

   Based on some input from Oscar Marcia, our chief security architect
at CableLabs, Eric Rosenfeld, and Eduardo Cardona, we would like to
propose that we add the following algorithms as optional to support:

 Symmetric encryption: 
 AES (AES128CbcMode, AES256CbcMode), 3DES, DES
 ^^^ new addition, optional to support

 Public-key algorithms: 
 RSA (768, 1024, 2048, 3072 -bit key)

 Data integrity algorithms: 
 SHA-1, SHA-256, MD5
 ^ new addition, optional to support 
 On the data integrity, as Eric and Oscar pointed out, please note that
the MAC level protocol DOCSIS only support encryption today.
Authentication is used on the key management messages and all DOCSIS
Dynamic Service Flow DSA, DSC, and DSD exchanges, but the actual data
transport security only uses encryption. So proposing authentication
algorithms is a clear stretch based on the current protocol and
implementations. That said, we would be ok with adding a couple for
potential future use.


  We would also like to add some text in the compliance statement of the
MIB to specify what algs are mandatory to support for DOCSIS 1.1 and 2.0
to eliminate any potential confusions.
 

Are these proposals to resolve your comments ok with you? 
Do you see any other possible algorithms we should consider for
inclusion? Any one we should remove? 
Once we have your blessing on the above, Eduardo or I will propose the
exact text modifications for the Internet-Draft (we probably need to add
some text in the description clauses, compliance statement, the security
consideration section, references, etc.)


Let us know if this message addresses those IESG comments. Special
thanks all the folks in cc: for their input on this thread. Any
additional comments, please include the ipcdn list.

Thanks,
Jean-Francois 
IPCDN co-chair

_______________________________________________
IPCDN mailing list
IPCDN@ietf.org
https://www1.ietf.org/mailman/listinfo/ipcdn

v2.23.0 | Report a Bug | By Email