Re: [lisp] LISP crypto

"Amjad Inamdar (amjads)" <amjads@cisco.com> Fri, 06 November 2015 04:47 UTC

Return-Path: <amjads@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26D111B354F for <lisp@ietfa.amsl.com>; Thu, 5 Nov 2015 20:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Put4ZC4MVvW for <lisp@ietfa.amsl.com>; Thu, 5 Nov 2015 20:47:53 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F5551B354E for <lisp@ietf.org>; Thu, 5 Nov 2015 20:47:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3388; q=dns/txt; s=iport; t=1446785273; x=1447994873; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=wETIDx5SnKJf/dqHKY7E/0rfGBnhWkGu9LzGzf8zc7E=; b=VY13Qfl45u6V67Im7/csRE4Zx2L7fKHNUBD/iRop+GfUBKkccJRPA1x0 phTuZ5kgBvJvIFJQl23wfQtsA6DA31FGiQsrudpnLqtZ6QGJCkLZZWOq8 /IcbiR9gRhboVZgKigSKVeWpymwnfW6K/+/lx+Z5/P4tGyddbHxvDnpvF I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ARAgC0LzxW/4cNJK1egztTbwa+BwENgWAXCoVvAhyBJDgUAQEBAQEBAYEKhDUBAQEDAQEBASAROgsFBwQCAQgRBAEBAQICIwMCAgIfBgsUAQgIAQEEDgUIiBEDCggNsBSMLQ2EPgEBAQEBAQEBAQEBAQEBAQEBAQEBARQEgQGKUYJThSKBRAWWSAGLLoFtgWGEP45Xh1EBHwEBQoQEcoQNgQcBAQE
X-IronPort-AV: E=Sophos;i="5.20,250,1444694400"; d="scan'208";a="204919490"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-4.cisco.com with ESMTP; 06 Nov 2015 04:47:52 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id tA64lqNt007588 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Nov 2015 04:47:52 GMT
Received: from xch-aln-006.cisco.com (173.36.7.16) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 5 Nov 2015 22:47:52 -0600
Received: from xch-aln-006.cisco.com ([173.36.7.16]) by XCH-ALN-006.cisco.com ([173.36.7.16]) with mapi id 15.00.1104.000; Thu, 5 Nov 2015 22:47:51 -0600
From: "Amjad Inamdar (amjads)" <amjads@cisco.com>
To: Dino Farinacci <farinacci@gmail.com>
Thread-Topic: [lisp] LISP crypto
Thread-Index: AdEX+QgCejSjQFO0RFuQI9IxGCz84QAX+TQAAALXINA=
Date: Fri, 6 Nov 2015 04:47:51 +0000
Message-ID: <46848e1566054f18828428d721391388@XCH-ALN-006.cisco.com>
References: <0289fb1a84a84cff89fa92a4559c829c@XCH-ALN-006.cisco.com> <FA68153A-54CE-4572-87E6-2167F6AB48F3@gmail.com>
In-Reply-To: <FA68153A-54CE-4572-87E6-2167F6AB48F3@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.56.246]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/pIgpknmO8IG9BC14htAN1iAEaK0>
Cc: "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] LISP crypto
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2015 04:47:55 -0000

Hi Dino,

The thing being proposed with IKEv2 is to include a pre-shared key in the key derivation and with sufficient entropy in the pre-shared key, this would offer fair amount of protection. You can please refer draft-fluhrer-qr-ikev2 for further details.

Thanks,
-Amjad

-----Original Message-----
From: Dino Farinacci [mailto:farinacci@gmail.com] 
Sent: 06 November 2015 AM 05:34
To: Amjad Inamdar (amjads)
Cc: lisp@ietf.org
Subject: Re: [lisp] LISP crypto

Amjad, we are aware of the QC-safe work going on in CFRG. We are following it but it is very researchy at this point. We can add some text indicating that we’ll follow any CFRG/SAAG recommendations (or any security area working group’s recommendation) on using QC-safe technology.

If there is anything specific you want us to look at with IKE, please send some pointers. Thanks.

Dino

> On Nov 5, 2015, at 10:37 AM, Amjad Inamdar (amjads) <amjads@cisco.com> wrote:
> 
> Hi Brian/Dino,
>  
> The key material derivation proposed in draft-ietf-lisp-crypto is based on Diffie-Hellman which is not Quantum Computer resistant. There is some work underway to make IKE that uses DH for key derivation Quantum Computer safe. Might be a good idea to consider this for lisp-crypto as well.
>  
> Thanks,
> -Amjad
>  
> From: Amjad Inamdar (amjads)
> Sent: 03 November 2015 PM 12:33
> To: 'lisp@ietf.org'
> Subject: LISP NAT Traversal
>  
> Hi,
>  
> It will be useful if LISP NAT traversal draft 
> (draft-ermagan-lisp-nat-traversal) can elaborate on the following
>  
> 1) Why LISP NAT traversal cannot be accomplished without RTR (another network entity) which has implications on deployability, complexity and latency. There are other protocols (e.g IKE/IPsec) that achieve NAT-D and NAT-T without the need for additional network entity.
>  
> 2) Some more details on RTR deployment
> - location of RTR in the LISP deployment like there are 
> recommendations on PITR/PETR deployments
> - is RTR shared across LISP sites behind NAT or each site needs a 
> dedicated RTR
> - what if RTR is behind another NAT (SP-NAT)
>  
> 3) How is multiple-NAT handled (e.g. enterprise and SP NAT)
>  
> Thanks,
> -Amjad Inamdar CISSP, CCNP R&S, CCNP Security, CCDP, CCSK Senior 
> Technical Leader CSG PI Services Security - India
>  
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp