Re: [OPSEC] minutes part 2

[R Atkinson <ran.atkinson@gmail.com>]

On  17 Dec 2008, at 20:04, Glen Kent wrote:
> This does not address the point that i had raised.
>
>> I have no concern with the WG documenting any issues, provided:
>> - they really are technical issues rather than opinion,
>
> So, you dont think the issues mentioned in the drafts are technical?
> OK, how would you categorize those issues?

Let me repeat:
	My comments here have been focused on the
	comments reported *meeting minutes*.

I have made no assertions about any drafts.

>> - the analysis really is comprehensive, including a threat model,
>> - the analysis also discusses existing mitigations,
>> and
>> - the analysis covers all such authentication mechanism,
>> including for example RFC-2154, not just some of them.
>
> Its experimental. Lets leave it out of the discussion.

It is real and it is (IMHO) a whole lot better than anything
else we have -- and I understand at least one implementation
exists.  So we should include it in the discussion.

>> (For an individual submission rather than a WG document, of course,
>> none of the above caveats would apply, as individuals can say
>> whatever they wish, true or not, in a personal informational RFC. :-)
>>
>> As my notes have tried (and perhaps failed, sigh) to make
>> clear, the focus of my concerns are:
>>
>> 1) An apparent proposal, according to the WG minutes, to have
>>  the OPsec WG recommend that users migrate to using SHA-based
>
> Can you stop being vague and mention the precise proposal you are
> arguing against?

Kindly see the meeting minutes, which is what ALL of my comments
have been reacting to.

>>  mechanisms.  There are not solid technical grounds to
>>  recommend/prefer SHA approaches over MD5 approaches
>>  (or the reverse: it isn't obvious that MD5 is better either).
>
> So, you dont think there is any value in moving over to SHA based
> mechanisms, is it?

At present, there is no known scientific data indicating
that SHA-based approaches are either stronger or weaker
than MD5-based approaches **as used in the current
IGP authentication specifications**.

If you know of a published paper that explains that either
one is stronger **as used for IGP authentication**, for
example when used in the same cryptographic modes as for
IGP authentication, then please share the document (or
a URL/formal citation to it) so everyone can read it.

> You probably did not notice, but IESG has added a note, in the very
> RFC (4822) where YOU have added support for SHA for RIP
>
> "In the interests of encouraging rapid migration away from Keyed-MD5
> and its known weakness, the IESG has approved this document even
> though it does not meet the guidelines in BCP 107 (RFC 4107)."

I'm aware of that.  Look at the date on RFC-4822:
	February 2007

AFTER that IESG statement, in *November 2007*, NIST posted its
formal notice (URL provided previously) that SHA now has
"serious attacks" and that NIST was soliciting a replacement
algorithm -- so that NIST can replace/deprecate the current
SHA algorithm.

BOTTOM LINE:

The prior confidence in SHA's compression function doesn't
exist NOW due to publication of papers describing "serious
attacks" (quote from NIST) on SHA's compression function.

Yours,

Ran
rja@extremenetworks.com


_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec