RE: AERO/OMNI dropping support for SEND/CGA
Vasilenko Eduard <vasilenko.eduard@huawei.com> Wed, 02 December 2020 19:01 UTC
Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212F23A154B for <ipv6@ietfa.amsl.com>; Wed, 2 Dec 2020 11:01:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgq3vuMa5Yvv for <ipv6@ietfa.amsl.com>; Wed, 2 Dec 2020 11:01:43 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7776A3A1B2C for <ipv6@ietf.org>; Wed, 2 Dec 2020 10:58:13 -0800 (PST)
Received: from fraeml739-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4CmSqK5BmJz67L6V; Thu, 3 Dec 2020 02:56:13 +0800 (CST)
Received: from msceml705-chm.china.huawei.com (10.219.141.144) by fraeml739-chm.china.huawei.com (10.206.15.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 2 Dec 2020 19:58:09 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml705-chm.china.huawei.com (10.219.141.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 2 Dec 2020 21:58:08 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.2106.002; Wed, 2 Dec 2020 21:58:08 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: AERO/OMNI dropping support for SEND/CGA
Thread-Topic: AERO/OMNI dropping support for SEND/CGA
Thread-Index: AQHWyNbk7fZRe+sEQcisGsnlYu6uiqnkIvBw
Date: Wed, 02 Dec 2020 18:58:08 +0000
Message-ID: <bc200131dd2941e6b7f20fa6feebbb23@huawei.com>
References: <e9d391655a124688a121db7a6664d7bb@boeing.com> <efdbcaedd3264c00bd435abdb0ea5c3a@huawei.com> <6e8e4889-bba6-f1ce-b765-3a28a7b86f0d@gmail.com>
In-Reply-To: <6e8e4889-bba6-f1ce-b765-3a28a7b86f0d@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.203.5]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/m0MS8B1Wu6Wo0K94OIQZ-tGVB6o>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 19:01:45 -0000
It is funny how CGA purpose is justified: "for the case if RSA would fail". (in SeND RFC) It is the redundant algorithm to the normal RSA open key cryptography in SeND. I have the temptation to ask: what if CGA would fail too? May be 3rd redundant cryptography is needed? (Sarcasm). The essence of CGA algorithm: It is based on the fact that original owner does not care about IID – it could be hash, but intruder would need exact IID. If one would ask Sec of leading Zero in the hash, then legal host would need initially 2^(16*Sec) time to generate IID. But Intruder would need 2^(59+16*Sec). It is like block-chain - much more time and resources needed than any open key cryptography: 1. a lot of hashes to generate IID -> very expensive 2. in the case of collision (DAD?) - change "modifier" (parameter) and calculate again -> time consuming I am not so optimistic about quantum. I believe that this hype is ground-less. Analog computer is something very powerful for special tasks - was popular in 1970x. It could be revived on the next level of performance. That’s it. Ed/ > -----Original Message----- > From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Alexandre Petrescu > Sent: 2 декабря 2020 г. 21:14 > To: ipv6@ietf.org > Subject: Re: AERO/OMNI dropping support for SEND/CGA > > > > Le 01/12/2020 à 10:06, Vasilenko Eduard a écrit : > > Hi Fred, > > SeND needs a refresh. CGA looks ridicules now in principle. You should not use > it. > > I am not sure what in CGA might need ridiculuous? > > Probably the old crypto algorithms involved? > > > I am not sure: does it make sense to develop something else instead (based on > ecliptic curves). > > If there is something new to be developped it would need to take into account > the 'post-quantum' crypto, i.e. algorithms whose output would resist brute force > attacks performed by forthcoming quantum computers. > > These stronger algorithms would run on classical computer still. > > > As Fernando pointed many times: many things in ND could be resolved only by > digital signature (he calls it "untrusted model"). > > YEs yes. > > Alex > > > But as we see: market has rejected PKI. Digital signature is not useful without > proper key management. > > IMHO: it is better to keep digital signature as a separate standard. > > Therefore, if you have cycles for separate OMNI addendum, then it is better to > have it for completeness. If not - not much to lose now. > > But make sure that Open Key Cryptography and PKI (!) would be possible to > add later. > > What if something would be innovated in PKI and it became popular? > > Reminder: PKI is needed not just for ND. Enterprises have the big pressure to > protect all applications by TLS. > > Your vertical would probable lead on PKI adoption. > > > > As an alternative: you could talk with IT and Security people in your vertical: if > they believe in massive deployment of PKIs then you have to have Digital > Signature for ND. > > It would still not guaranty that it would be used, because hosts would need > support for it at ND level, but it is already the good situation to try. > > Hence again, better to keep it in separate specification. > > > > Eduard > >> -----Original Message----- > >> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin (US), > >> Fred L > >> Sent: 1 декабря 2020 г. 1:12 > >> To: ipv6@ietf.org > >> Subject: AERO/OMNI dropping support for SEND/CGA > >> > >> Folks, this is a big decision point for the AERO/OMNI drafts but I am > >> preparing to drop support for SEND/CGA (RFC3971; RFC3972). This means > >> that IPv6 ND message authentication on OMNI interfaces will use a > >> simple HMAC the same as is done for Teredo (RFC4380; RFC6081). If > >> anyone knows why that might cause problems, it would be best to speak up > now. > >> > >> Fred > >> > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- AERO/OMNI dropping support for SEND/CGA Templin (US), Fred L
- RE: AERO/OMNI dropping support for SEND/CGA Vasilenko Eduard
- Re: AERO/OMNI dropping support for SEND/CGA Pascal Thubert (pthubert)
- RE: AERO/OMNI dropping support for SEND/CGA Vasilenko Eduard
- RE: AERO/OMNI dropping support for SEND/CGA Templin (US), Fred L
- Re: AERO/OMNI dropping support for SEND/CGA Behcet Sarikaya
- RE: [EXTERNAL] Re: AERO/OMNI dropping support for… Templin (US), Fred L
- Re: [EXTERNAL] Re: AERO/OMNI dropping support for… Behcet Sarikaya
- RE: [EXTERNAL] Re: AERO/OMNI dropping support for… Templin (US), Fred L
- Re: AERO/OMNI dropping support for SEND/CGA Alexandre Petrescu
- RE: AERO/OMNI dropping support for SEND/CGA Vasilenko Eduard
- RE: [EXTERNAL] Re: AERO/OMNI dropping support for… Templin (US), Fred L
- Re: [EXTERNAL] Re: AERO/OMNI dropping support for… Alexandre Petrescu
- Re: [EXTERNAL] Re: AERO/OMNI dropping support for… Behcet Sarikaya
- Re: AERO/OMNI dropping support for SEND/CGA Templin (US), Fred L
- RE: AERO/OMNI dropping support for SEND/CGA Templin (US), Fred L
- Re: AERO/OMNI dropping support for SEND/CGA Behcet Sarikaya