RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib-14
Russ Housley <housley@vigilsec.com> Sat, 25 September 2004 20:33 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA16007 for <ipcdn-archive@ietf.org>; Sat, 25 Sep 2004 16:33:45 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CBJM6-0000wM-FU for ipcdn-archive@ietf.org; Sat, 25 Sep 2004 16:41:18 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CBJCv-0002jW-KM; Sat, 25 Sep 2004 16:31:49 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CAyjr-0000aJ-Bu for ipcdn@megatron.ietf.org; Fri, 24 Sep 2004 18:40:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA28385 for <ipcdn@ietf.org>; Fri, 24 Sep 2004 18:40:24 -0400 (EDT)
Received: from woodstock.binhost.com ([144.202.240.3]) by ietf-mx.ietf.org with smtp (Exim 4.33) id 1CAyqw-0006pV-E3 for ipcdn@ietf.org; Fri, 24 Sep 2004 18:47:46 -0400
Received: (qmail 1825 invoked by uid 0); 24 Sep 2004 22:40:18 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.180.219) by woodstock.binhost.com with SMTP; 24 Sep 2004 22:40:18 -0000
Message-Id: <6.1.2.0.2.20040924183709.05501fe0@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0
Date: Fri, 24 Sep 2004 18:41:28 -0400
To: Jean-Francois Mule <jf.mule@cablelabs.com>, "Steven M. Bellovin" <smb@research.att.com>, bwijnen@lucent.com, ipcdn@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib-14
In-Reply-To: <CD6CE349CFD30D40BF5E13B3E0D8480406A38F@srvxchg.cablelabs.c om>
References: <CD6CE349CFD30D40BF5E13B3E0D8480406A38F@srvxchg.cablelabs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
X-Mailman-Approved-At: Sat, 25 Sep 2004 16:31:48 -0400
Cc: Eduardo Cardona <e.cardona@cablelabs.com>, Greg White <g.white@cablelabs.com>, Oscar Marcia <o.marcia@cablelabs.com>, "Richard Woundy @ Comcast" <Richard_woundy@cable.comcast.com>, Eric Rosenfeld <e.rosenfeld@cablelabs.com>
X-BeenThere: ipcdn@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP over Cable Data Network <ipcdn.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipcdn>, <mailto:ipcdn-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipcdn@ietf.org>
List-Help: <mailto:ipcdn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipcdn>, <mailto:ipcdn-request@ietf.org?subject=subscribe>
Sender: ipcdn-bounces@ietf.org
Errors-To: ipcdn-bounces@ietf.org
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 2857c5c041d6c02d7181d602c22822c8
Jean-Francois: >--- 1. Syntax of docsBpi2CmPublicKey and range limitations: > Per Eduardo and Rich's responses, the current object syntax of >docsBpi2CmPublicKey is justified by the fact that DOCSIS BPI+ specifies >a public modulus of 3 or 65537. >Eduardo wrote: > > DOCSIS uses a subset of moduli values that matches the sizes > > described by the MIB object. > >Rich added: > > In general I am sure this is true, but for DOCSIS BPI+, a > > specific public modulus is specified: 65537. > > > > Per > > <http://www.cablemodem.com/downloads/specs/BPI+_I11-040407.pdf> >, > section 4.2.2.4 and elsewhere: "PKCS #1 v2.0 states that > > the RSA public exponent may be standardized in specific > > applications, and the document suggests values of 3 or 65537 > > (F4). Baseline Privacy Plus standardizes on F4 for a public > > exponent and employs a 1024-bit modulus (Baseline Privacy > > employed a 768-bit modulus)." Also see sections 7.5 and 7.6, > > for example. > >Proposed resolution: > Even with the above justification, we (Rich and I) do not have any >objection changing the syntax to not restrict the possible ranges in the >MIB module. To allow the use of PCKS 4096 bits moduli, we (Eduardo, >Oscar and I) would like to define the max limit to something like 524. >The proposal is: > > a) change the SYNTAX >replace >< docsBpi2CmPublicKey OBJECT-TYPE >< SYNTAX OCTET STRING (SIZE (74|106|140|204|270)) >with > > docsBpi2CmPublicKey OBJECT-TYPE > > SYNTAX OCTET STRING (SIZE 0..524) > > b) for existing 1.1 and 2.0 implementations, in the compliance >statement, an OBJECT clause to say that DOCSIS 1.1 and 2.0 devices are >not required to support any key with a size greater than 270. > >This proposal should suffice to address the comment: it adds flexibility >in the generic object definition, yet reflects the reality of the >underlying docsis 1.1 and 2.0 implementations and allow us to add a new >compliance statement later for newer implementations without changing >the mib definition. If this is not sufficient, let us know. This is fine with me. >--- 2. Lack of strong encryption & authentication mechanism in DOCSIS >BPI+ > The second comment raised by you both (Russ and Steve) is the lack of >strong encryption & authentication mechanism in DOCSIS BPI+ and >subsequently in the IPCDN DOCSIS BPI+ MIB module. > While the current DOCSIS specifications do not support any additional >algorithms (and therefore, the underlying protocols supported by this >MIB may not allow additional algorithm to be negotiated and used), we >believe it is ok to add a couple of stronger encryption/auth algorithms >for future use. Vendors may opt to support these additional algorithms >and future DOCSIS specs may consider these for inclusion - TBD. In any >case, today's implementations should reject any values outside the range >allowed in docsis per standard error handling procedures so we don't see >a pb with adding some better algo there. > > Based on some input from Oscar Marcia, our chief security architect >at CableLabs, Eric Rosenfeld, and Eduardo Cardona, we would like to >propose that we add the following algorithms as optional to support: > > Symmetric encryption: > AES (AES128CbcMode, AES256CbcMode), 3DES, DES > ^^^ new addition, optional to support You need to specify a mode for 3DES too. It will probably be CBC like the rest of the algorithms you support. > Public-key algorithms: > RSA (768, 1024, 2048, 3072 -bit key) Okay. > Data integrity algorithms: > SHA-1, SHA-256, MD5 > ^ new addition, optional to support I expected HMAC-SHA-1. This can be truncated as is done in IPsec. Look at the HMAC-SHA1-96 definition for an example. MD5 is certainly not a good thing to add at this point. > On the data integrity, as Eric and Oscar pointed out, please note that >the MAC level protocol DOCSIS only support encryption today. >Authentication is used on the key management messages and all DOCSIS >Dynamic Service Flow DSA, DSC, and DSD exchanges, but the actual data >transport security only uses encryption. So proposing authentication >algorithms is a clear stretch based on the current protocol and >implementations. That said, we would be ok with adding a couple for >potential future use. > > > We would also like to add some text in the compliance statement of the >MIB to specify what algs are mandatory to support for DOCSIS 1.1 and 2.0 >to eliminate any potential confusions. Okay. Russ _______________________________________________ IPCDN mailing list IPCDN@ietf.org https://www1.ietf.org/mailman/listinfo/ipcdn
- [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus-mib… Wijnen, Bert (Bert)
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Eduardo Cardona
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Eduardo Cardona
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Jean-Francois Mule
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Russ Housley
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Eduardo Cardona
- Re: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Steven M. Bellovin
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Jean-Francois Mule
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Russ Housley
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Jean-Francois Mule
- RE: [ipcdn] FW: DISCUSS: draft-ietf-ipcdn-bpiplus… Russ Housley