Re: [OPSAWG] Call for Adoption: draft-hmac-sha-2-usm-snmp

[Warren Kumari <warren@kumari.net>]

On Mon, Nov 24, 2014 at 1:50 PM, David Reid <reid@snmp.com> wrote:
> Is there any progress on this?
>

Wow. Yes, sorry, there is...

We mentioned in the face to face meeting at IETF91 that we would be
adopting draft-hmac-sha-2-usm-snmp (and thanking Sam et al. for
supporting this decision) - however, we never actually sent the "Dear
authors, please resubmit draft-hmac-sha-2-usm-snmp as
draft-ietf-opsawg-hmac-sha-2-usm-snmp"[0].

So, dear authors, please resubmit as.. etc.

Also, thanks to the authors of draft-hartman-snmp-sha2 and
draft-hmac-sha-2-usm-snmp, and the WG participants for all of their
work and input on this.

W
[0]: I took the week after IETF off as vacation, then looked at the
unread email and have been hiding under the covers ever since, hoping
it might all just disappear...


> I like the proposal from Johannes to continue with draft-hmac-sha-2-usm-snmp
> and to shorten the list of protocols.
>
> -David Reid
>
>> > A month on, what is the WG chairs take on this?
>>
>> Good question. Even more time has passed by now.
>>
>> Maybe it helps, if I summarize the results of my poll. Hereby, I assume that the authors of the two drafts prefer their
>> respective approach (a presumption, I can confirm for draft-hmac-sha-2-usm-snmp).
>>
>> Question 1: Should the protocols be described
>> a) as "diff" to the previous protocols like done in draft-hmac-sha-2-usm-snmp, or
>> b) completely and based on a description of a generic hmac-based authentication protocol, as done in draft-hartman?
>>
>> Result:
>> a) is preferred by the authors of draft-hmac-sha-2-usm-snmp, and by David Reid, Tom Petch, Uri Blumenthal
>> b) is preferred by the authors of draft-hartman-snmp-sha2.
>>
>> Question 2: Should the protocols be based on complete or truncated HMACs?
>> - complete is preferred by the authors of draft-hartman-snmp-sha2.
>> - truncated is preferred by the authors of draft-hmac-sha-2-usm-snmp, and by David Reid, Tom Petch, Uri Blumenthal
>>
>> Question 3: Which (sub)set of protocols (hash function, MAC length) should be selected?
>> - Johannes: SHA-256-192 as MUST, SHA-512-256 as SHOULD, all other can be MAY or omitted.
>> - Uri: SHA-256-192 and SHA-384-320 as MUST, SHA-512-256 as SHOULD, and SHA-224-??? as MAY
>> - Tom: AFAIU, he agrees with the preferences expressed by David, Johannes and Uri.
>> - David: SHA-256-192 and SHA-512-384.
>> (In all the above cases, the preferences were not that strong, there was mainly the wish to reduce the number of
>> protocols in the current draft.)
>> - Again, I assume, that the authors of draft-hartman-snmp-sha2 prefer their proposals.
>>
>> The preferences are clearly split between two groups, the authors of draft-hartman-snmp-sha2 on one side, the authors of
>> draft-hmac-sha-2-usm-snmp, David Reid, Tom Petch, and Uri Blumenthal on the other. I don't see any potential compromise
>> here.
>>
>> My proposal, which is clearly biased due to my role as author, is to continue with draft-hmac-sha-2-usm-snmp and to
>> shorten the list of protocols, e.g. to
>> usmHMAC192SHA256AuthProtocol as MUST
>> usmHMAC384SHA512AuthProtocol as SHOULD
>> usmHMAC256SHA384AuthProtocol and usmHMAC128SHA224AuthProtocol as MAY
>>
>> In these proposals the truncation is reduced to 25% which is in line with the preferences expressed by Uri and David,
>> and may even reduce the concerns of the authors of draft-hartman-snmp-sha2 about truncation.
>>
>>
>> So, chairs, what is your decision?
>>
>> Johannes
>>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf