Re: [karp] Cryptographic Authentication Algorithm Implementation Best Practices for Routing Protocols
David McGrew <mcgrew@cisco.com> Wed, 11 November 2009 12:59 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D87C28C179 for <karp@core3.amsl.com>; Wed, 11 Nov 2009 04:59:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.576
X-Spam-Level:
X-Spam-Status: No, score=-6.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hdEHYKTxI+F for <karp@core3.amsl.com>; Wed, 11 Nov 2009 04:59:33 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 67C4D28C0D6 for <karp@ietf.org>; Wed, 11 Nov 2009 04:59:33 -0800 (PST)
Authentication-Results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: smime.p7s : 1760
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAOJD+kqrR7Ht/2dsb2JhbADDdZgZhDwEgWs
X-IronPort-AV: E=Sophos; i="4.44,723,1249257600"; d="p7s'?scan'208"; a="202340976"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-3.cisco.com with ESMTP; 11 Nov 2009 13:00:01 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nABD01f3028792; Wed, 11 Nov 2009 13:00:01 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 05:00:01 -0800
Received: from stealth-10-32-254-214.cisco.com ([10.32.254.214]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 05:00:00 -0800
Message-Id: <60E386F6-2694-4D43-AFA2-F1CAE66A64FC@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Manav Bhatia <manavbhatia@gmail.com>
In-Reply-To: <f95973910911110424t306d43a9pcdccbfd8c1ed1c64@mail.gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail-266-464325498"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 11 Nov 2009 04:59:59 -0800
References: <f95973910911110424t306d43a9pcdccbfd8c1ed1c64@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
X-OriginalArrivalTime: 11 Nov 2009 13:00:00.0858 (UTC) FILETIME=[E0D8F3A0:01CA62CE]
Cc: karp@ietf.org
Subject: Re: [karp] Cryptographic Authentication Algorithm Implementation Best Practices for Routing Protocols
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 12:59:34 -0000
Hi Manav, suggested improvement in terminology inline: On Nov 11, 2009, at 4:24 AM, Manav Bhatia wrote: > Hi, > > We have posted the revised version based on the feedback that we had > received from OPSEC and its available here: > > http://www.ietf.org/id/draft-bhatia-manral-igp-crypto-requirements-04.txt > > Would be great if folks in KARP go through this and provide some > feedback. > > Abstract > > The routing protocols Open Shortest Path First version 2 > (OSPFv2)[RFC2328], Intermediate System to Intermediate System (IS-IS) > [ISO] [RFC1195] and Routing Information Protocol (RIP) [RFC2453] > currently define Clear Text and MD5 (Message Digest 5) [RFC1321] > methods for authenticating protocol packets. Recently effort has been > made to add support for the SHA (Secure Hash Algorithm) family of hash > functions for the purpose of authenticating routing protocol packets > for RIP [RFC4822], IS-IS [RFC5310] and OSPF [RFC5709]. ... to add support for the HMAC message authentication code [RFC2104] using the SHA family of hash functions ... regards, David > > To encourage interoperability between disparate implementations, it is > imperative that we specify the expected minimal set of algorithms > thereby ensuring that there is at least one algorithm that all > implementations will have in common. > > This document examines the current set of available algorithms with > interoperability and effective cryptographic authentication protection > being the principle considerations. Cryptographic authentication of > these routing protocols requires the availability of the same > algorithms in disparate implementations. It is desirable that newly > specified algorithms should be implemented and available in routing > protocol implementations because they may be promoted to requirements > at some future time. > > Cheers, Manav > _______________________________________________ > karp mailing list > karp@ietf.org > https://www.ietf.org/mailman/listinfo/karp
- [karp] Cryptographic Authentication Algorithm Imp… Manav Bhatia
- Re: [karp] Cryptographic Authentication Algorithm… David McGrew