Re: [OPSEC] minutes part 2
R Atkinson <ran.atkinson@gmail.com> Thu, 18 December 2008 01:56 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CFC53A6A24; Wed, 17 Dec 2008 17:56:59 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 597493A69F3 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:56:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAMjFV6-fpoT for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:56:57 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id 4E5BD3A69E3 for <opsec@ietf.org>; Wed, 17 Dec 2008 17:56:57 -0800 (PST)
Received: by qyk4 with SMTP id 4so219723qyk.13 for <opsec@ietf.org>; Wed, 17 Dec 2008 17:56:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=EqcqbfmzRlESA+FJAAngz1hawKi7G8QnZMumAoD5W9c=; b=DFE3HB2BGu08S/391KiNB4PIhRrDZI93fvXt7+r3J/yih1QCGndqMEdYhpef4PZoe+ a+8Ncwmkj9uqwrKgtoBSrKOaFE1ZZQ7+ecjwAVebHUUtYVnO6R9sAHtSuC0uoBrpqxW5 ljTBFcdKl37Ew7giYOdN/kjq82BMRLgJBtOrI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=xNr0p8WLNjx7km5Ev0DjTc8SLOKjNbjoXOQgnqaMaGYwVs/9jzT4KgkEgm/noazvGX JQmOKfCn/9+HIFNYpWW6OsADEeTTbi0u309M5A0H+PoE7x89u2r+T2PEO51DJhckVnH5 CVLSoPDNdxiZanoX6KUVo/Ib7nBVOANf/koRM=
Received: by 10.214.115.16 with SMTP id n16mr1865569qac.104.1229565408708; Wed, 17 Dec 2008 17:56:48 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 6sm4560319ywn.6.2008.12.17.17.56.47 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 17 Dec 2008 17:56:48 -0800 (PST)
Message-Id: <C2E84336-3E35-4D68-BD81-3E222CD681F2@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <92c950310812171704x76e374bbv1bd74d74f5ca755b@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 17 Dec 2008 20:56:46 -0500
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <92c950310812161620j7d8aaa16m553940edadbe6d8f@mail.gmail.com> <12201E12-8A0B-4FBE-95A9-5C8B23DA46EC@gmail.com> <92c950310812171704x76e374bbv1bd74d74f5ca755b@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
On 17 Dec 2008, at 20:04, Glen Kent wrote: > This does not address the point that i had raised. > >> I have no concern with the WG documenting any issues, provided: >> - they really are technical issues rather than opinion, > > So, you dont think the issues mentioned in the drafts are technical? > OK, how would you categorize those issues? Let me repeat: My comments here have been focused on the comments reported *meeting minutes*. I have made no assertions about any drafts. >> - the analysis really is comprehensive, including a threat model, >> - the analysis also discusses existing mitigations, >> and >> - the analysis covers all such authentication mechanism, >> including for example RFC-2154, not just some of them. > > Its experimental. Lets leave it out of the discussion. It is real and it is (IMHO) a whole lot better than anything else we have -- and I understand at least one implementation exists. So we should include it in the discussion. >> (For an individual submission rather than a WG document, of course, >> none of the above caveats would apply, as individuals can say >> whatever they wish, true or not, in a personal informational RFC. :-) >> >> As my notes have tried (and perhaps failed, sigh) to make >> clear, the focus of my concerns are: >> >> 1) An apparent proposal, according to the WG minutes, to have >> the OPsec WG recommend that users migrate to using SHA-based > > Can you stop being vague and mention the precise proposal you are > arguing against? Kindly see the meeting minutes, which is what ALL of my comments have been reacting to. >> mechanisms. There are not solid technical grounds to >> recommend/prefer SHA approaches over MD5 approaches >> (or the reverse: it isn't obvious that MD5 is better either). > > So, you dont think there is any value in moving over to SHA based > mechanisms, is it? At present, there is no known scientific data indicating that SHA-based approaches are either stronger or weaker than MD5-based approaches **as used in the current IGP authentication specifications**. If you know of a published paper that explains that either one is stronger **as used for IGP authentication**, for example when used in the same cryptographic modes as for IGP authentication, then please share the document (or a URL/formal citation to it) so everyone can read it. > You probably did not notice, but IESG has added a note, in the very > RFC (4822) where YOU have added support for SHA for RIP > > "In the interests of encouraging rapid migration away from Keyed-MD5 > and its known weakness, the IESG has approved this document even > though it does not meet the guidelines in BCP 107 (RFC 4107)." I'm aware of that. Look at the date on RFC-4822: February 2007 AFTER that IESG statement, in *November 2007*, NIST posted its formal notice (URL provided previously) that SHA now has "serious attacks" and that NIST was soliciting a replacement algorithm -- so that NIST can replace/deprecate the current SHA algorithm. BOTTOM LINE: The prior confidence in SHA's compression function doesn't exist NOW due to publication of papers describing "serious attacks" (quote from NIST) on SHA's compression function. Yours, Ran rja@extremenetworks.com _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- [OPSEC] Prospective issue with IPsec ESP-NULL & I… R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] FW: minutes part 2 Smith, Donald
- Re: [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson