[Isis-wg] draft-bhatia-manral-crypto-req-isis-01.txt
Tony Li <tli@cisco.com> Fri, 02 March 2007 19:33 UTC
Return-path: <isis-wg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HNDVC-0001yt-Sy; Fri, 02 Mar 2007 14:33:14 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HNDVB-0001xZ-8a for isis-wg@ietf.org; Fri, 02 Mar 2007 14:33:13 -0500
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HNDV8-00086P-Ua for isis-wg@ietf.org; Fri, 02 Mar 2007 14:33:13 -0500
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-4.cisco.com with ESMTP; 02 Mar 2007 11:33:10 -0800
X-IronPort-AV: i="4.14,243,1170662400"; d="scan'208"; a="44635718:sNHT44913573"
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l22JXAn3015046 for <isis-wg@ietf.org>; Fri, 2 Mar 2007 11:33:10 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l22JXAV4019966 for <isis-wg@ietf.org>; Fri, 2 Mar 2007 11:33:10 -0800 (PST)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 2 Mar 2007 11:33:09 -0800
Received: from [192.168.0.101] ([10.21.97.116]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 2 Mar 2007 11:33:09 -0800
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <7993FE39-A603-4830-B63F-9615A38B3DEA@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
To: isis-wg@ietf.org
From: Tony Li <tli@cisco.com>
Date: Fri, 02 Mar 2007 11:33:10 -0800
X-Mailer: Apple Mail (2.752.3)
X-OriginalArrivalTime: 02 Mar 2007 19:33:09.0633 (UTC) FILETIME=[9BF69F10:01C75D01]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1929; t=1172863990; x=1173727990; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=tli@cisco.com; z=From:=20Tony=20Li=20<tli@cisco.com> |Subject:=20draft-bhatia-manral-crypto-req-isis-01.txt=20 |Sender:=20; bh=MiEKv3iKQmZHlgu0hUS85OIVs55d3sd0cokZT2cKkDo=; b=XQpBrx5h/kmMXMh6OskBwNt6PFPqEvrVa3CZwC3kHfrU3GnFtpHCrFJW0Mg+5pZCNJmRB1aW 68SbKIxZHs9gA6TbWDIxC1P675HBhzjQAKkInwLUH9giMNtOogcVhYfba5hnchUNk+FYyXv/W7 3OnMM8ceaseiyA/ZaZ/V6hMm8=;
Authentication-Results: sj-dkim-1; header.From=tli@cisco.com; dkim=pass (sig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Subject: [Isis-wg] draft-bhatia-manral-crypto-req-isis-01.txt
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org
Hi, I'd like to take exception to some language found in this draft. I quote: The HMAC-MD5 scheme is also not good enough as there have recently been reports about attacks on the collision resistance properties of MD5 [MD5-attack]. MD5CRK, was a distributed computing project to break the MD5 hash algorithm in a short period of time. The project closed down with the publication of the paper [MD5-attack]. It was discovered that collisions can be found in MD5 algorithm in less than 24 hours, making MD5 very insecure. I find this language to simply be irresponsible in that it misconstrues an attack vector and then draws a completely incorrect conclusion and reports it using the most incendiary language possible. It is correct that it is possible to quickly find a collision for an MD5 hash. However, just finding a collision does not give an attacker a mechanism to compute a correct hash for an arbitrary packet. Thus, the attacker does not have a mechanism to forge arbitrary packets and have them injected into IS-IS. In fact, the most that this process will do is allow the attacker to calculate some other, effectively pseudo-random packet that would have an identical hash. The odds of such a packet being a syntactically correct IS-IS PDU are long indeed (e.g., is the Fletcher checksum correct?), and the odds of it further performing some attack of interest within an IS-IS domain are longer still. Note that I do not disagree that there is a need for replacement algorithms. Experience has shown that all cryptographic algorithms will eventually be compromised in serious ways. However, the attack cited is simply not in that category and it is wholly unreasonable to claim that the sky is falling. I recommend that the WG not accept this draft until this language is revised. Regards, Tony _______________________________________________ Isis-wg mailing list Isis-wg@ietf.org https://www1.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] draft-bhatia-manral-crypto-req-isis-01.… Tony Li
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Vishwas Manral
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Vishwas Manral
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Vishwas Manral
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Vishwas Manral
- RE: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Parker, Jeff
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Vishwas Manral
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Tony Li
- Re: [Isis-wg] draft-bhatia-manral-crypto-req-isis… Russ White